Post on 15-Apr-2017
ICSA Technology Conference focus on cyber securityFriday 4 November 2017
Join the conversationICSA_News ICSATechConf
Chairrsquos opening remarksMark Child Managing DirectorGLE Consulting Limited
Building business confidence
Cyber Security
The ICSA Technology Conference 2016
ICSA THE GOVERNANCE INSTITUTE 4TH NOVEMBER 2016
Cyber security ndash everyonersquos pet subject
bull Undoubtedly the topic of the moment
bull But is it anything new
bull How worried should we really be
bull How in practical terms do we understand and tackle lsquocyber threatrsquo
Questionshellip
ldquoWhat are we doing about Cyberrdquo ldquoCan we be
hackedrdquo
ldquoWhat is our current level of Cyber riskrdquo
ldquoShould we be doing penetration
testingrdquoldquoCanrsquot we just take
out insurancerdquo
Itrsquos an opportunity for the authorities too
ldquoThe biggest threat to the UK way of life will come from cyber terrorism rather than
traditional attacks on cities and peoplerdquo David Blunkett
ldquoIf the US government does not improve cyber defences we will leave our nation
and our economy vulnerable Barak Obama
ldquoCyber security is a Tier 1 threat to the nation and has become a strategic risk
management issue for all organisationsrdquo MI6
Hardware and software vendorshellip
hellipare never blind to a sales and marketing opportunity either
Threat landscapebull Main themes over the last yearbull The risk landscape is dynamic and continuously evolving bull Cybercrime in Financial Services is the domain of organised criminals
- focussed on monetising their technical advantagebull Ransom-warebull Phishingbull Data theftbull Wire-fraud (and lsquowhale phishingrsquo)
bull Smaller organisations are as equally likely to be in the firing line as large firms Their relative lack of resources mean that they are easier to compromise and exploit
bull Increased reliance on third party suppliers ndash a significant hidden security risk
bull The threat therefore remains real current and relevant to all
Threat landscape ndash The global state of information security survey 2015
Threat landscape ndash globalImplementation of key security safeguards
Threat landscape ndash global
Ransomware and cyber extortionMartin LeeTechnical Lead Security Research Team Lead Talos Outreach EMEA Cisco
Martin LeeTechnical Lead Security Research
Digitisation of Crime
Acquisit ive Crime
ldquoThe Conjurerrdquo Hieronymus Bosch c1480
Cyber Crime Business Model
CompromisedSystem
Steal CPU Cycles
Steal Bandwidth
Steal Data
Mine bitcoins
DDOSSend spam
Credential theftIdentity theft
Ransomware - A New Model
Ransomware Rogues Gallery
Name AIDS TrojanDate Dec 1989Spread DisketteRansom $189 (by post)Encryption
Symmetric (file names only)
Ransomware Rogues Gallery
Name Reveton Cryptolocker Cryptowall 20
Locky
Date May 2012 Sep 2013 Sep 2014 Feb 2016Spread Exploit kits
(web)Email Malvertising Email
Ransom $200 by Ukash Bitcoin
$400 by Ukash or Bitcoin
$500 or bitcoin
$300 - $400 Tor Bitcoin
Encryption
various RSA-2048 bit Including network drives
RSA- 2048 bit RSA-2048 + AES-256 including network drives also web site version
Angler EK - The Money
Distribution
Zepto - Spam
Malvertis ing
A Major News Site
26 Domains 39 Hosts171 Objects557 Connections
Angler EK Infection Demo
Join the conversationICSA_News ICSATechConf
Chairrsquos opening remarksMark Child Managing DirectorGLE Consulting Limited
Building business confidence
Cyber Security
The ICSA Technology Conference 2016
ICSA THE GOVERNANCE INSTITUTE 4TH NOVEMBER 2016
Cyber security ndash everyonersquos pet subject
bull Undoubtedly the topic of the moment
bull But is it anything new
bull How worried should we really be
bull How in practical terms do we understand and tackle lsquocyber threatrsquo
Questionshellip
ldquoWhat are we doing about Cyberrdquo ldquoCan we be
hackedrdquo
ldquoWhat is our current level of Cyber riskrdquo
ldquoShould we be doing penetration
testingrdquoldquoCanrsquot we just take
out insurancerdquo
Itrsquos an opportunity for the authorities too
ldquoThe biggest threat to the UK way of life will come from cyber terrorism rather than
traditional attacks on cities and peoplerdquo David Blunkett
ldquoIf the US government does not improve cyber defences we will leave our nation
and our economy vulnerable Barak Obama
ldquoCyber security is a Tier 1 threat to the nation and has become a strategic risk
management issue for all organisationsrdquo MI6
Hardware and software vendorshellip
hellipare never blind to a sales and marketing opportunity either
Threat landscapebull Main themes over the last yearbull The risk landscape is dynamic and continuously evolving bull Cybercrime in Financial Services is the domain of organised criminals
- focussed on monetising their technical advantagebull Ransom-warebull Phishingbull Data theftbull Wire-fraud (and lsquowhale phishingrsquo)
bull Smaller organisations are as equally likely to be in the firing line as large firms Their relative lack of resources mean that they are easier to compromise and exploit
bull Increased reliance on third party suppliers ndash a significant hidden security risk
bull The threat therefore remains real current and relevant to all
Threat landscape ndash The global state of information security survey 2015
Threat landscape ndash globalImplementation of key security safeguards
Threat landscape ndash global
Ransomware and cyber extortionMartin LeeTechnical Lead Security Research Team Lead Talos Outreach EMEA Cisco
Martin LeeTechnical Lead Security Research
Digitisation of Crime
Acquisit ive Crime
ldquoThe Conjurerrdquo Hieronymus Bosch c1480
Cyber Crime Business Model
CompromisedSystem
Steal CPU Cycles
Steal Bandwidth
Steal Data
Mine bitcoins
DDOSSend spam
Credential theftIdentity theft
Ransomware - A New Model
Ransomware Rogues Gallery
Name AIDS TrojanDate Dec 1989Spread DisketteRansom $189 (by post)Encryption
Symmetric (file names only)
Ransomware Rogues Gallery
Name Reveton Cryptolocker Cryptowall 20
Locky
Date May 2012 Sep 2013 Sep 2014 Feb 2016Spread Exploit kits
(web)Email Malvertising Email
Ransom $200 by Ukash Bitcoin
$400 by Ukash or Bitcoin
$500 or bitcoin
$300 - $400 Tor Bitcoin
Encryption
various RSA-2048 bit Including network drives
RSA- 2048 bit RSA-2048 + AES-256 including network drives also web site version
Angler EK - The Money
Distribution
Zepto - Spam
Malvertis ing
A Major News Site
26 Domains 39 Hosts171 Objects557 Connections
Angler EK Infection Demo
Chairrsquos opening remarksMark Child Managing DirectorGLE Consulting Limited
Building business confidence
Cyber Security
The ICSA Technology Conference 2016
ICSA THE GOVERNANCE INSTITUTE 4TH NOVEMBER 2016
Cyber security ndash everyonersquos pet subject
bull Undoubtedly the topic of the moment
bull But is it anything new
bull How worried should we really be
bull How in practical terms do we understand and tackle lsquocyber threatrsquo
Questionshellip
ldquoWhat are we doing about Cyberrdquo ldquoCan we be
hackedrdquo
ldquoWhat is our current level of Cyber riskrdquo
ldquoShould we be doing penetration
testingrdquoldquoCanrsquot we just take
out insurancerdquo
Itrsquos an opportunity for the authorities too
ldquoThe biggest threat to the UK way of life will come from cyber terrorism rather than
traditional attacks on cities and peoplerdquo David Blunkett
ldquoIf the US government does not improve cyber defences we will leave our nation
and our economy vulnerable Barak Obama
ldquoCyber security is a Tier 1 threat to the nation and has become a strategic risk
management issue for all organisationsrdquo MI6
Hardware and software vendorshellip
hellipare never blind to a sales and marketing opportunity either
Threat landscapebull Main themes over the last yearbull The risk landscape is dynamic and continuously evolving bull Cybercrime in Financial Services is the domain of organised criminals
- focussed on monetising their technical advantagebull Ransom-warebull Phishingbull Data theftbull Wire-fraud (and lsquowhale phishingrsquo)
bull Smaller organisations are as equally likely to be in the firing line as large firms Their relative lack of resources mean that they are easier to compromise and exploit
bull Increased reliance on third party suppliers ndash a significant hidden security risk
bull The threat therefore remains real current and relevant to all
Threat landscape ndash The global state of information security survey 2015
Threat landscape ndash globalImplementation of key security safeguards
Threat landscape ndash global
Ransomware and cyber extortionMartin LeeTechnical Lead Security Research Team Lead Talos Outreach EMEA Cisco
Martin LeeTechnical Lead Security Research
Digitisation of Crime
Acquisit ive Crime
ldquoThe Conjurerrdquo Hieronymus Bosch c1480
Cyber Crime Business Model
CompromisedSystem
Steal CPU Cycles
Steal Bandwidth
Steal Data
Mine bitcoins
DDOSSend spam
Credential theftIdentity theft
Ransomware - A New Model
Ransomware Rogues Gallery
Name AIDS TrojanDate Dec 1989Spread DisketteRansom $189 (by post)Encryption
Symmetric (file names only)
Ransomware Rogues Gallery
Name Reveton Cryptolocker Cryptowall 20
Locky
Date May 2012 Sep 2013 Sep 2014 Feb 2016Spread Exploit kits
(web)Email Malvertising Email
Ransom $200 by Ukash Bitcoin
$400 by Ukash or Bitcoin
$500 or bitcoin
$300 - $400 Tor Bitcoin
Encryption
various RSA-2048 bit Including network drives
RSA- 2048 bit RSA-2048 + AES-256 including network drives also web site version
Angler EK - The Money
Distribution
Zepto - Spam
Malvertis ing
A Major News Site
26 Domains 39 Hosts171 Objects557 Connections
Angler EK Infection Demo
Building business confidence
Cyber Security
The ICSA Technology Conference 2016
ICSA THE GOVERNANCE INSTITUTE 4TH NOVEMBER 2016
Cyber security ndash everyonersquos pet subject
bull Undoubtedly the topic of the moment
bull But is it anything new
bull How worried should we really be
bull How in practical terms do we understand and tackle lsquocyber threatrsquo
Questionshellip
ldquoWhat are we doing about Cyberrdquo ldquoCan we be
hackedrdquo
ldquoWhat is our current level of Cyber riskrdquo
ldquoShould we be doing penetration
testingrdquoldquoCanrsquot we just take
out insurancerdquo
Itrsquos an opportunity for the authorities too
ldquoThe biggest threat to the UK way of life will come from cyber terrorism rather than
traditional attacks on cities and peoplerdquo David Blunkett
ldquoIf the US government does not improve cyber defences we will leave our nation
and our economy vulnerable Barak Obama
ldquoCyber security is a Tier 1 threat to the nation and has become a strategic risk
management issue for all organisationsrdquo MI6
Hardware and software vendorshellip
hellipare never blind to a sales and marketing opportunity either
Threat landscapebull Main themes over the last yearbull The risk landscape is dynamic and continuously evolving bull Cybercrime in Financial Services is the domain of organised criminals
- focussed on monetising their technical advantagebull Ransom-warebull Phishingbull Data theftbull Wire-fraud (and lsquowhale phishingrsquo)
bull Smaller organisations are as equally likely to be in the firing line as large firms Their relative lack of resources mean that they are easier to compromise and exploit
bull Increased reliance on third party suppliers ndash a significant hidden security risk
bull The threat therefore remains real current and relevant to all
Threat landscape ndash The global state of information security survey 2015
Threat landscape ndash globalImplementation of key security safeguards
Threat landscape ndash global
Ransomware and cyber extortionMartin LeeTechnical Lead Security Research Team Lead Talos Outreach EMEA Cisco
Martin LeeTechnical Lead Security Research
Digitisation of Crime
Acquisit ive Crime
ldquoThe Conjurerrdquo Hieronymus Bosch c1480
Cyber Crime Business Model
CompromisedSystem
Steal CPU Cycles
Steal Bandwidth
Steal Data
Mine bitcoins
DDOSSend spam
Credential theftIdentity theft
Ransomware - A New Model
Ransomware Rogues Gallery
Name AIDS TrojanDate Dec 1989Spread DisketteRansom $189 (by post)Encryption
Symmetric (file names only)
Ransomware Rogues Gallery
Name Reveton Cryptolocker Cryptowall 20
Locky
Date May 2012 Sep 2013 Sep 2014 Feb 2016Spread Exploit kits
(web)Email Malvertising Email
Ransom $200 by Ukash Bitcoin
$400 by Ukash or Bitcoin
$500 or bitcoin
$300 - $400 Tor Bitcoin
Encryption
various RSA-2048 bit Including network drives
RSA- 2048 bit RSA-2048 + AES-256 including network drives also web site version
Angler EK - The Money
Distribution
Zepto - Spam
Malvertis ing
A Major News Site
26 Domains 39 Hosts171 Objects557 Connections
Angler EK Infection Demo
Cyber Security
The ICSA Technology Conference 2016
ICSA THE GOVERNANCE INSTITUTE 4TH NOVEMBER 2016
Cyber security ndash everyonersquos pet subject
bull Undoubtedly the topic of the moment
bull But is it anything new
bull How worried should we really be
bull How in practical terms do we understand and tackle lsquocyber threatrsquo
Questionshellip
ldquoWhat are we doing about Cyberrdquo ldquoCan we be
hackedrdquo
ldquoWhat is our current level of Cyber riskrdquo
ldquoShould we be doing penetration
testingrdquoldquoCanrsquot we just take
out insurancerdquo
Itrsquos an opportunity for the authorities too
ldquoThe biggest threat to the UK way of life will come from cyber terrorism rather than
traditional attacks on cities and peoplerdquo David Blunkett
ldquoIf the US government does not improve cyber defences we will leave our nation
and our economy vulnerable Barak Obama
ldquoCyber security is a Tier 1 threat to the nation and has become a strategic risk
management issue for all organisationsrdquo MI6
Hardware and software vendorshellip
hellipare never blind to a sales and marketing opportunity either
Threat landscapebull Main themes over the last yearbull The risk landscape is dynamic and continuously evolving bull Cybercrime in Financial Services is the domain of organised criminals
- focussed on monetising their technical advantagebull Ransom-warebull Phishingbull Data theftbull Wire-fraud (and lsquowhale phishingrsquo)
bull Smaller organisations are as equally likely to be in the firing line as large firms Their relative lack of resources mean that they are easier to compromise and exploit
bull Increased reliance on third party suppliers ndash a significant hidden security risk
bull The threat therefore remains real current and relevant to all
Threat landscape ndash The global state of information security survey 2015
Threat landscape ndash globalImplementation of key security safeguards
Threat landscape ndash global
Ransomware and cyber extortionMartin LeeTechnical Lead Security Research Team Lead Talos Outreach EMEA Cisco
Martin LeeTechnical Lead Security Research
Digitisation of Crime
Acquisit ive Crime
ldquoThe Conjurerrdquo Hieronymus Bosch c1480
Cyber Crime Business Model
CompromisedSystem
Steal CPU Cycles
Steal Bandwidth
Steal Data
Mine bitcoins
DDOSSend spam
Credential theftIdentity theft
Ransomware - A New Model
Ransomware Rogues Gallery
Name AIDS TrojanDate Dec 1989Spread DisketteRansom $189 (by post)Encryption
Symmetric (file names only)
Ransomware Rogues Gallery
Name Reveton Cryptolocker Cryptowall 20
Locky
Date May 2012 Sep 2013 Sep 2014 Feb 2016Spread Exploit kits
(web)Email Malvertising Email
Ransom $200 by Ukash Bitcoin
$400 by Ukash or Bitcoin
$500 or bitcoin
$300 - $400 Tor Bitcoin
Encryption
various RSA-2048 bit Including network drives
RSA- 2048 bit RSA-2048 + AES-256 including network drives also web site version
Angler EK - The Money
Distribution
Zepto - Spam
Malvertis ing
A Major News Site
26 Domains 39 Hosts171 Objects557 Connections
Angler EK Infection Demo
Cyber security ndash everyonersquos pet subject
bull Undoubtedly the topic of the moment
bull But is it anything new
bull How worried should we really be
bull How in practical terms do we understand and tackle lsquocyber threatrsquo
Questionshellip
ldquoWhat are we doing about Cyberrdquo ldquoCan we be
hackedrdquo
ldquoWhat is our current level of Cyber riskrdquo
ldquoShould we be doing penetration
testingrdquoldquoCanrsquot we just take
out insurancerdquo
Itrsquos an opportunity for the authorities too
ldquoThe biggest threat to the UK way of life will come from cyber terrorism rather than
traditional attacks on cities and peoplerdquo David Blunkett
ldquoIf the US government does not improve cyber defences we will leave our nation
and our economy vulnerable Barak Obama
ldquoCyber security is a Tier 1 threat to the nation and has become a strategic risk
management issue for all organisationsrdquo MI6
Hardware and software vendorshellip
hellipare never blind to a sales and marketing opportunity either
Threat landscapebull Main themes over the last yearbull The risk landscape is dynamic and continuously evolving bull Cybercrime in Financial Services is the domain of organised criminals
- focussed on monetising their technical advantagebull Ransom-warebull Phishingbull Data theftbull Wire-fraud (and lsquowhale phishingrsquo)
bull Smaller organisations are as equally likely to be in the firing line as large firms Their relative lack of resources mean that they are easier to compromise and exploit
bull Increased reliance on third party suppliers ndash a significant hidden security risk
bull The threat therefore remains real current and relevant to all
Threat landscape ndash The global state of information security survey 2015
Threat landscape ndash globalImplementation of key security safeguards
Threat landscape ndash global
Ransomware and cyber extortionMartin LeeTechnical Lead Security Research Team Lead Talos Outreach EMEA Cisco
Martin LeeTechnical Lead Security Research
Digitisation of Crime
Acquisit ive Crime
ldquoThe Conjurerrdquo Hieronymus Bosch c1480
Cyber Crime Business Model
CompromisedSystem
Steal CPU Cycles
Steal Bandwidth
Steal Data
Mine bitcoins
DDOSSend spam
Credential theftIdentity theft
Ransomware - A New Model
Ransomware Rogues Gallery
Name AIDS TrojanDate Dec 1989Spread DisketteRansom $189 (by post)Encryption
Symmetric (file names only)
Ransomware Rogues Gallery
Name Reveton Cryptolocker Cryptowall 20
Locky
Date May 2012 Sep 2013 Sep 2014 Feb 2016Spread Exploit kits
(web)Email Malvertising Email
Ransom $200 by Ukash Bitcoin
$400 by Ukash or Bitcoin
$500 or bitcoin
$300 - $400 Tor Bitcoin
Encryption
various RSA-2048 bit Including network drives
RSA- 2048 bit RSA-2048 + AES-256 including network drives also web site version
Angler EK - The Money
Distribution
Zepto - Spam
Malvertis ing
A Major News Site
26 Domains 39 Hosts171 Objects557 Connections
Angler EK Infection Demo
Questionshellip
ldquoWhat are we doing about Cyberrdquo ldquoCan we be
hackedrdquo
ldquoWhat is our current level of Cyber riskrdquo
ldquoShould we be doing penetration
testingrdquoldquoCanrsquot we just take
out insurancerdquo
Itrsquos an opportunity for the authorities too
ldquoThe biggest threat to the UK way of life will come from cyber terrorism rather than
traditional attacks on cities and peoplerdquo David Blunkett
ldquoIf the US government does not improve cyber defences we will leave our nation
and our economy vulnerable Barak Obama
ldquoCyber security is a Tier 1 threat to the nation and has become a strategic risk
management issue for all organisationsrdquo MI6
Hardware and software vendorshellip
hellipare never blind to a sales and marketing opportunity either
Threat landscapebull Main themes over the last yearbull The risk landscape is dynamic and continuously evolving bull Cybercrime in Financial Services is the domain of organised criminals
- focussed on monetising their technical advantagebull Ransom-warebull Phishingbull Data theftbull Wire-fraud (and lsquowhale phishingrsquo)
bull Smaller organisations are as equally likely to be in the firing line as large firms Their relative lack of resources mean that they are easier to compromise and exploit
bull Increased reliance on third party suppliers ndash a significant hidden security risk
bull The threat therefore remains real current and relevant to all
Threat landscape ndash The global state of information security survey 2015
Threat landscape ndash globalImplementation of key security safeguards
Threat landscape ndash global
Ransomware and cyber extortionMartin LeeTechnical Lead Security Research Team Lead Talos Outreach EMEA Cisco
Martin LeeTechnical Lead Security Research
Digitisation of Crime
Acquisit ive Crime
ldquoThe Conjurerrdquo Hieronymus Bosch c1480
Cyber Crime Business Model
CompromisedSystem
Steal CPU Cycles
Steal Bandwidth
Steal Data
Mine bitcoins
DDOSSend spam
Credential theftIdentity theft
Ransomware - A New Model
Ransomware Rogues Gallery
Name AIDS TrojanDate Dec 1989Spread DisketteRansom $189 (by post)Encryption
Symmetric (file names only)
Ransomware Rogues Gallery
Name Reveton Cryptolocker Cryptowall 20
Locky
Date May 2012 Sep 2013 Sep 2014 Feb 2016Spread Exploit kits
(web)Email Malvertising Email
Ransom $200 by Ukash Bitcoin
$400 by Ukash or Bitcoin
$500 or bitcoin
$300 - $400 Tor Bitcoin
Encryption
various RSA-2048 bit Including network drives
RSA- 2048 bit RSA-2048 + AES-256 including network drives also web site version
Angler EK - The Money
Distribution
Zepto - Spam
Malvertis ing
A Major News Site
26 Domains 39 Hosts171 Objects557 Connections
Angler EK Infection Demo
Itrsquos an opportunity for the authorities too
ldquoThe biggest threat to the UK way of life will come from cyber terrorism rather than
traditional attacks on cities and peoplerdquo David Blunkett
ldquoIf the US government does not improve cyber defences we will leave our nation
and our economy vulnerable Barak Obama
ldquoCyber security is a Tier 1 threat to the nation and has become a strategic risk
management issue for all organisationsrdquo MI6
Hardware and software vendorshellip
hellipare never blind to a sales and marketing opportunity either
Threat landscapebull Main themes over the last yearbull The risk landscape is dynamic and continuously evolving bull Cybercrime in Financial Services is the domain of organised criminals
- focussed on monetising their technical advantagebull Ransom-warebull Phishingbull Data theftbull Wire-fraud (and lsquowhale phishingrsquo)
bull Smaller organisations are as equally likely to be in the firing line as large firms Their relative lack of resources mean that they are easier to compromise and exploit
bull Increased reliance on third party suppliers ndash a significant hidden security risk
bull The threat therefore remains real current and relevant to all
Threat landscape ndash The global state of information security survey 2015
Threat landscape ndash globalImplementation of key security safeguards
Threat landscape ndash global
Ransomware and cyber extortionMartin LeeTechnical Lead Security Research Team Lead Talos Outreach EMEA Cisco
Martin LeeTechnical Lead Security Research
Digitisation of Crime
Acquisit ive Crime
ldquoThe Conjurerrdquo Hieronymus Bosch c1480
Cyber Crime Business Model
CompromisedSystem
Steal CPU Cycles
Steal Bandwidth
Steal Data
Mine bitcoins
DDOSSend spam
Credential theftIdentity theft
Ransomware - A New Model
Ransomware Rogues Gallery
Name AIDS TrojanDate Dec 1989Spread DisketteRansom $189 (by post)Encryption
Symmetric (file names only)
Ransomware Rogues Gallery
Name Reveton Cryptolocker Cryptowall 20
Locky
Date May 2012 Sep 2013 Sep 2014 Feb 2016Spread Exploit kits
(web)Email Malvertising Email
Ransom $200 by Ukash Bitcoin
$400 by Ukash or Bitcoin
$500 or bitcoin
$300 - $400 Tor Bitcoin
Encryption
various RSA-2048 bit Including network drives
RSA- 2048 bit RSA-2048 + AES-256 including network drives also web site version
Angler EK - The Money
Distribution
Zepto - Spam
Malvertis ing
A Major News Site
26 Domains 39 Hosts171 Objects557 Connections
Angler EK Infection Demo
Hardware and software vendorshellip
hellipare never blind to a sales and marketing opportunity either
Threat landscapebull Main themes over the last yearbull The risk landscape is dynamic and continuously evolving bull Cybercrime in Financial Services is the domain of organised criminals
- focussed on monetising their technical advantagebull Ransom-warebull Phishingbull Data theftbull Wire-fraud (and lsquowhale phishingrsquo)
bull Smaller organisations are as equally likely to be in the firing line as large firms Their relative lack of resources mean that they are easier to compromise and exploit
bull Increased reliance on third party suppliers ndash a significant hidden security risk
bull The threat therefore remains real current and relevant to all
Threat landscape ndash The global state of information security survey 2015
Threat landscape ndash globalImplementation of key security safeguards
Threat landscape ndash global
Ransomware and cyber extortionMartin LeeTechnical Lead Security Research Team Lead Talos Outreach EMEA Cisco
Martin LeeTechnical Lead Security Research
Digitisation of Crime
Acquisit ive Crime
ldquoThe Conjurerrdquo Hieronymus Bosch c1480
Cyber Crime Business Model
CompromisedSystem
Steal CPU Cycles
Steal Bandwidth
Steal Data
Mine bitcoins
DDOSSend spam
Credential theftIdentity theft
Ransomware - A New Model
Ransomware Rogues Gallery
Name AIDS TrojanDate Dec 1989Spread DisketteRansom $189 (by post)Encryption
Symmetric (file names only)
Ransomware Rogues Gallery
Name Reveton Cryptolocker Cryptowall 20
Locky
Date May 2012 Sep 2013 Sep 2014 Feb 2016Spread Exploit kits
(web)Email Malvertising Email
Ransom $200 by Ukash Bitcoin
$400 by Ukash or Bitcoin
$500 or bitcoin
$300 - $400 Tor Bitcoin
Encryption
various RSA-2048 bit Including network drives
RSA- 2048 bit RSA-2048 + AES-256 including network drives also web site version
Angler EK - The Money
Distribution
Zepto - Spam
Malvertis ing
A Major News Site
26 Domains 39 Hosts171 Objects557 Connections
Angler EK Infection Demo
Threat landscapebull Main themes over the last yearbull The risk landscape is dynamic and continuously evolving bull Cybercrime in Financial Services is the domain of organised criminals
- focussed on monetising their technical advantagebull Ransom-warebull Phishingbull Data theftbull Wire-fraud (and lsquowhale phishingrsquo)
bull Smaller organisations are as equally likely to be in the firing line as large firms Their relative lack of resources mean that they are easier to compromise and exploit
bull Increased reliance on third party suppliers ndash a significant hidden security risk
bull The threat therefore remains real current and relevant to all
Threat landscape ndash The global state of information security survey 2015
Threat landscape ndash globalImplementation of key security safeguards
Threat landscape ndash global
Ransomware and cyber extortionMartin LeeTechnical Lead Security Research Team Lead Talos Outreach EMEA Cisco
Martin LeeTechnical Lead Security Research
Digitisation of Crime
Acquisit ive Crime
ldquoThe Conjurerrdquo Hieronymus Bosch c1480
Cyber Crime Business Model
CompromisedSystem
Steal CPU Cycles
Steal Bandwidth
Steal Data
Mine bitcoins
DDOSSend spam
Credential theftIdentity theft
Ransomware - A New Model
Ransomware Rogues Gallery
Name AIDS TrojanDate Dec 1989Spread DisketteRansom $189 (by post)Encryption
Symmetric (file names only)
Ransomware Rogues Gallery
Name Reveton Cryptolocker Cryptowall 20
Locky
Date May 2012 Sep 2013 Sep 2014 Feb 2016Spread Exploit kits
(web)Email Malvertising Email
Ransom $200 by Ukash Bitcoin
$400 by Ukash or Bitcoin
$500 or bitcoin
$300 - $400 Tor Bitcoin
Encryption
various RSA-2048 bit Including network drives
RSA- 2048 bit RSA-2048 + AES-256 including network drives also web site version
Angler EK - The Money
Distribution
Zepto - Spam
Malvertis ing
A Major News Site
26 Domains 39 Hosts171 Objects557 Connections
Angler EK Infection Demo
Threat landscape ndash The global state of information security survey 2015
Threat landscape ndash globalImplementation of key security safeguards
Threat landscape ndash global
Ransomware and cyber extortionMartin LeeTechnical Lead Security Research Team Lead Talos Outreach EMEA Cisco
Martin LeeTechnical Lead Security Research
Digitisation of Crime
Acquisit ive Crime
ldquoThe Conjurerrdquo Hieronymus Bosch c1480
Cyber Crime Business Model
CompromisedSystem
Steal CPU Cycles
Steal Bandwidth
Steal Data
Mine bitcoins
DDOSSend spam
Credential theftIdentity theft
Ransomware - A New Model
Ransomware Rogues Gallery
Name AIDS TrojanDate Dec 1989Spread DisketteRansom $189 (by post)Encryption
Symmetric (file names only)
Ransomware Rogues Gallery
Name Reveton Cryptolocker Cryptowall 20
Locky
Date May 2012 Sep 2013 Sep 2014 Feb 2016Spread Exploit kits
(web)Email Malvertising Email
Ransom $200 by Ukash Bitcoin
$400 by Ukash or Bitcoin
$500 or bitcoin
$300 - $400 Tor Bitcoin
Encryption
various RSA-2048 bit Including network drives
RSA- 2048 bit RSA-2048 + AES-256 including network drives also web site version
Angler EK - The Money
Distribution
Zepto - Spam
Malvertis ing
A Major News Site
26 Domains 39 Hosts171 Objects557 Connections
Angler EK Infection Demo
Threat landscape ndash globalImplementation of key security safeguards
Threat landscape ndash global
Ransomware and cyber extortionMartin LeeTechnical Lead Security Research Team Lead Talos Outreach EMEA Cisco
Martin LeeTechnical Lead Security Research
Digitisation of Crime
Acquisit ive Crime
ldquoThe Conjurerrdquo Hieronymus Bosch c1480
Cyber Crime Business Model
CompromisedSystem
Steal CPU Cycles
Steal Bandwidth
Steal Data
Mine bitcoins
DDOSSend spam
Credential theftIdentity theft
Ransomware - A New Model
Ransomware Rogues Gallery
Name AIDS TrojanDate Dec 1989Spread DisketteRansom $189 (by post)Encryption
Symmetric (file names only)
Ransomware Rogues Gallery
Name Reveton Cryptolocker Cryptowall 20
Locky
Date May 2012 Sep 2013 Sep 2014 Feb 2016Spread Exploit kits
(web)Email Malvertising Email
Ransom $200 by Ukash Bitcoin
$400 by Ukash or Bitcoin
$500 or bitcoin
$300 - $400 Tor Bitcoin
Encryption
various RSA-2048 bit Including network drives
RSA- 2048 bit RSA-2048 + AES-256 including network drives also web site version
Angler EK - The Money
Distribution
Zepto - Spam
Malvertis ing
A Major News Site
26 Domains 39 Hosts171 Objects557 Connections
Angler EK Infection Demo
Threat landscape ndash global
Ransomware and cyber extortionMartin LeeTechnical Lead Security Research Team Lead Talos Outreach EMEA Cisco
Martin LeeTechnical Lead Security Research
Digitisation of Crime
Acquisit ive Crime
ldquoThe Conjurerrdquo Hieronymus Bosch c1480
Cyber Crime Business Model
CompromisedSystem
Steal CPU Cycles
Steal Bandwidth
Steal Data
Mine bitcoins
DDOSSend spam
Credential theftIdentity theft
Ransomware - A New Model
Ransomware Rogues Gallery
Name AIDS TrojanDate Dec 1989Spread DisketteRansom $189 (by post)Encryption
Symmetric (file names only)
Ransomware Rogues Gallery
Name Reveton Cryptolocker Cryptowall 20
Locky
Date May 2012 Sep 2013 Sep 2014 Feb 2016Spread Exploit kits
(web)Email Malvertising Email
Ransom $200 by Ukash Bitcoin
$400 by Ukash or Bitcoin
$500 or bitcoin
$300 - $400 Tor Bitcoin
Encryption
various RSA-2048 bit Including network drives
RSA- 2048 bit RSA-2048 + AES-256 including network drives also web site version
Angler EK - The Money
Distribution
Zepto - Spam
Malvertis ing
A Major News Site
26 Domains 39 Hosts171 Objects557 Connections
Angler EK Infection Demo
Ransomware and cyber extortionMartin LeeTechnical Lead Security Research Team Lead Talos Outreach EMEA Cisco
Martin LeeTechnical Lead Security Research
Digitisation of Crime
Acquisit ive Crime
ldquoThe Conjurerrdquo Hieronymus Bosch c1480
Cyber Crime Business Model
CompromisedSystem
Steal CPU Cycles
Steal Bandwidth
Steal Data
Mine bitcoins
DDOSSend spam
Credential theftIdentity theft
Ransomware - A New Model
Ransomware Rogues Gallery
Name AIDS TrojanDate Dec 1989Spread DisketteRansom $189 (by post)Encryption
Symmetric (file names only)
Ransomware Rogues Gallery
Name Reveton Cryptolocker Cryptowall 20
Locky
Date May 2012 Sep 2013 Sep 2014 Feb 2016Spread Exploit kits
(web)Email Malvertising Email
Ransom $200 by Ukash Bitcoin
$400 by Ukash or Bitcoin
$500 or bitcoin
$300 - $400 Tor Bitcoin
Encryption
various RSA-2048 bit Including network drives
RSA- 2048 bit RSA-2048 + AES-256 including network drives also web site version
Angler EK - The Money
Distribution
Zepto - Spam
Malvertis ing
A Major News Site
26 Domains 39 Hosts171 Objects557 Connections
Angler EK Infection Demo
Martin LeeTechnical Lead Security Research
Digitisation of Crime
Acquisit ive Crime
ldquoThe Conjurerrdquo Hieronymus Bosch c1480
Cyber Crime Business Model
CompromisedSystem
Steal CPU Cycles
Steal Bandwidth
Steal Data
Mine bitcoins
DDOSSend spam
Credential theftIdentity theft
Ransomware - A New Model
Ransomware Rogues Gallery
Name AIDS TrojanDate Dec 1989Spread DisketteRansom $189 (by post)Encryption
Symmetric (file names only)
Ransomware Rogues Gallery
Name Reveton Cryptolocker Cryptowall 20
Locky
Date May 2012 Sep 2013 Sep 2014 Feb 2016Spread Exploit kits
(web)Email Malvertising Email
Ransom $200 by Ukash Bitcoin
$400 by Ukash or Bitcoin
$500 or bitcoin
$300 - $400 Tor Bitcoin
Encryption
various RSA-2048 bit Including network drives
RSA- 2048 bit RSA-2048 + AES-256 including network drives also web site version
Angler EK - The Money
Distribution
Zepto - Spam
Malvertis ing
A Major News Site
26 Domains 39 Hosts171 Objects557 Connections
Angler EK Infection Demo
Digitisation of Crime
Acquisit ive Crime
ldquoThe Conjurerrdquo Hieronymus Bosch c1480
Cyber Crime Business Model
CompromisedSystem
Steal CPU Cycles
Steal Bandwidth
Steal Data
Mine bitcoins
DDOSSend spam
Credential theftIdentity theft
Ransomware - A New Model
Ransomware Rogues Gallery
Name AIDS TrojanDate Dec 1989Spread DisketteRansom $189 (by post)Encryption
Symmetric (file names only)
Ransomware Rogues Gallery
Name Reveton Cryptolocker Cryptowall 20
Locky
Date May 2012 Sep 2013 Sep 2014 Feb 2016Spread Exploit kits
(web)Email Malvertising Email
Ransom $200 by Ukash Bitcoin
$400 by Ukash or Bitcoin
$500 or bitcoin
$300 - $400 Tor Bitcoin
Encryption
various RSA-2048 bit Including network drives
RSA- 2048 bit RSA-2048 + AES-256 including network drives also web site version
Angler EK - The Money
Distribution
Zepto - Spam
Malvertis ing
A Major News Site
26 Domains 39 Hosts171 Objects557 Connections
Angler EK Infection Demo
Acquisit ive Crime
ldquoThe Conjurerrdquo Hieronymus Bosch c1480
Cyber Crime Business Model
CompromisedSystem
Steal CPU Cycles
Steal Bandwidth
Steal Data
Mine bitcoins
DDOSSend spam
Credential theftIdentity theft
Ransomware - A New Model
Ransomware Rogues Gallery
Name AIDS TrojanDate Dec 1989Spread DisketteRansom $189 (by post)Encryption
Symmetric (file names only)
Ransomware Rogues Gallery
Name Reveton Cryptolocker Cryptowall 20
Locky
Date May 2012 Sep 2013 Sep 2014 Feb 2016Spread Exploit kits
(web)Email Malvertising Email
Ransom $200 by Ukash Bitcoin
$400 by Ukash or Bitcoin
$500 or bitcoin
$300 - $400 Tor Bitcoin
Encryption
various RSA-2048 bit Including network drives
RSA- 2048 bit RSA-2048 + AES-256 including network drives also web site version
Angler EK - The Money
Distribution
Zepto - Spam
Malvertis ing
A Major News Site
26 Domains 39 Hosts171 Objects557 Connections
Angler EK Infection Demo
Cyber Crime Business Model
CompromisedSystem
Steal CPU Cycles
Steal Bandwidth
Steal Data
Mine bitcoins
DDOSSend spam
Credential theftIdentity theft
Ransomware - A New Model
Ransomware Rogues Gallery
Name AIDS TrojanDate Dec 1989Spread DisketteRansom $189 (by post)Encryption
Symmetric (file names only)
Ransomware Rogues Gallery
Name Reveton Cryptolocker Cryptowall 20
Locky
Date May 2012 Sep 2013 Sep 2014 Feb 2016Spread Exploit kits
(web)Email Malvertising Email
Ransom $200 by Ukash Bitcoin
$400 by Ukash or Bitcoin
$500 or bitcoin
$300 - $400 Tor Bitcoin
Encryption
various RSA-2048 bit Including network drives
RSA- 2048 bit RSA-2048 + AES-256 including network drives also web site version
Angler EK - The Money
Distribution
Zepto - Spam
Malvertis ing
A Major News Site
26 Domains 39 Hosts171 Objects557 Connections
Angler EK Infection Demo
Ransomware - A New Model
Ransomware Rogues Gallery
Name AIDS TrojanDate Dec 1989Spread DisketteRansom $189 (by post)Encryption
Symmetric (file names only)
Ransomware Rogues Gallery
Name Reveton Cryptolocker Cryptowall 20
Locky
Date May 2012 Sep 2013 Sep 2014 Feb 2016Spread Exploit kits
(web)Email Malvertising Email
Ransom $200 by Ukash Bitcoin
$400 by Ukash or Bitcoin
$500 or bitcoin
$300 - $400 Tor Bitcoin
Encryption
various RSA-2048 bit Including network drives
RSA- 2048 bit RSA-2048 + AES-256 including network drives also web site version
Angler EK - The Money
Distribution
Zepto - Spam
Malvertis ing
A Major News Site
26 Domains 39 Hosts171 Objects557 Connections
Angler EK Infection Demo
Ransomware Rogues Gallery
Name AIDS TrojanDate Dec 1989Spread DisketteRansom $189 (by post)Encryption
Symmetric (file names only)
Ransomware Rogues Gallery
Name Reveton Cryptolocker Cryptowall 20
Locky
Date May 2012 Sep 2013 Sep 2014 Feb 2016Spread Exploit kits
(web)Email Malvertising Email
Ransom $200 by Ukash Bitcoin
$400 by Ukash or Bitcoin
$500 or bitcoin
$300 - $400 Tor Bitcoin
Encryption
various RSA-2048 bit Including network drives
RSA- 2048 bit RSA-2048 + AES-256 including network drives also web site version
Angler EK - The Money
Distribution
Zepto - Spam
Malvertis ing
A Major News Site
26 Domains 39 Hosts171 Objects557 Connections
Angler EK Infection Demo
Ransomware Rogues Gallery
Name Reveton Cryptolocker Cryptowall 20
Locky
Date May 2012 Sep 2013 Sep 2014 Feb 2016Spread Exploit kits
(web)Email Malvertising Email
Ransom $200 by Ukash Bitcoin
$400 by Ukash or Bitcoin
$500 or bitcoin
$300 - $400 Tor Bitcoin
Encryption
various RSA-2048 bit Including network drives
RSA- 2048 bit RSA-2048 + AES-256 including network drives also web site version
Angler EK - The Money
Distribution
Zepto - Spam
Malvertis ing
A Major News Site
26 Domains 39 Hosts171 Objects557 Connections
Angler EK Infection Demo
Angler EK - The Money
Distribution
Zepto - Spam
Malvertis ing
A Major News Site
26 Domains 39 Hosts171 Objects557 Connections
Angler EK Infection Demo
Distribution
Zepto - Spam
Malvertis ing
A Major News Site
26 Domains 39 Hosts171 Objects557 Connections
Angler EK Infection Demo
Zepto - Spam
Malvertis ing
A Major News Site
26 Domains 39 Hosts171 Objects557 Connections
Angler EK Infection Demo
Malvertis ing
A Major News Site
26 Domains 39 Hosts171 Objects557 Connections
Angler EK Infection Demo
A Major News Site
26 Domains 39 Hosts171 Objects557 Connections
Angler EK Infection Demo
Angler EK Infection Demo
SamSam ndash March 2016
Scan for JBoss vulnerability
Encrypt files amp demand payment
Install
SamSam malware
Install web
shell
Expand presence on network
SamSam ndash March 2016
Vulnerable Systems
32 million lsquoat riskrsquo machinesScan for JBoss vulnerability
CVE-2010-0738
Install web shell
2100 installed web shells
A Future Ransomware Model
Establish initial access
Escalate privileges
Identify critical
systemsInstall
ransomwareCollect
payment
Scan for vulnerabilitie
sMaximising lost value for the victimMinimising costs for the attacker
wwwtalosintelligencecomblogtalosintelcom
talossecurity
martinleciscocom
Incident response what to do in the event of a cyber breachMark Child Managing Director andNeil May Senior Manager Technology Risk ManagementGLE Consulting Limited
What To Do In The Event of A Cyber Breach
Incident Response
ICSA THE GOVERNANCE INSTITUTE 4TH NOVEMBER 2016
You might be feeling a bit like thishellip
Rabbit in the headlights
Or depending on your boardhellip
Possibly like this
The big question is hellip
Is this really an entirely new threat that we are facing
Our view
But there are some trends
― We are noticing more and larger breaches
― Breaches and data leaks are making the news ndash there is public media and regulatory interest
― The criminals are getting smarter
The threat is NOT new
lsquoCyberrsquo is a convenient label for information risk in the 21st Century
Our view ndash how do we respond
Pursue a strategy of defence-in-depth
Avoid our historic fixation on lsquothe perimeterrsquo This is not a purely technical problem
The solution is not necessarily a technical one Technical controls remain key
The weakest links are likely to beYour people
Your third party suppliers amp partners
And
So
But
Summary
― lsquoCyber threatrsquo is nothing new ndash in our view
― But it is serious
― Target defence in depth
― Staff contractors and suppliers are now your weakest link
― Get back to basics on information governance
― Apply technology solutions intelligently to support amp enable
History quiz
History quiz
Just how successful was it
Not very successful at
all
Perception versus reality
We think we are building thishellip
But we have potentially built thishellip
Case studies ndash poor practices
― October 2015
― Cause Simple (and old) technical exploit (executed by a 15 year-old boy)
― Immediate result 150000 customer records stolen (0ver 15000 full bank details)
― Incidentcrisis management extremely poor― CEO unprepared amp poorly briefed
― Scope of breach massively over-estimated
― Response ill-judged (500000 customers given lsquofree upgradersquo)
― Impacts― REPUTATION ndash Lost 95000 customers in year 1
― FINANCIAL ndash Current financial cost estimated at pound60m
― REGULATORY ndash Formally sanctioned by ICO (Fined 400k)
Case studies ndash insider threat
― December 2014
― Cause Malicious software deployed via lsquophishingrsquo attack used to obtain IDs and passwords
― Politically motivated
― Immediate result 100 terabytes of data stolen (the whole of the ldquocoukrdquo domain is only 68 Tb)
― Data included entire movies financials staff data salary data email records
― Data posted on the internet for download
― Impacts― REPUTATION ndash Deputy CEO forced to resign due to damaging email content
― FINANCIAL ndash Current financial cost estimated at $15m (impact reduced byinsurances and managed legal response)
Case studies ndash third party
― Spring 2014
― Cause Security compromise at third party AirCon and Ventilation contractor ndash access gained to Targetrsquos network
― Immediate result 70m customer records and 40m credit card records harvested across 1797 stores over extended period
― Data downloaded by criminals in Russia
― Impacts― FINANCIAL ndash Current financial cost to Target estimated at $61m (Industry-wide costs estimated at
$200m)
Get back to basics
― Itrsquos not just about the enemy at the gates (ie the perimeter)
― The perimeter is hard to define these days
― We cannot rely solely upon prevention ndash our detection and response capability must improve
We need to take the threat seriously
Get back to basics
― Technology and tools of the highest quality can be undermined by weaknesses in basic security practices
― Or by a flawed corporate culture
― CyberInformation risk is a problem for the entire business to resolve ndash not just IT
― Todayrsquos cyber criminals recognise this and exploit it by adopting a range of approaches which step away from the purely technical and exploit weaknesses in the way that organisations manage control and interact with their information
― A full frontal assault is unlikely to be profitable ndash an attacker will target compromise from the inside And they can be very patient
Get back to basics
Fundamentally addressing the Cyber Threat means going back to basics looking again at your organisation and the controls you already have
― Understanding your people ndash what threats do they pose After all there is no patch for stupidity
― Understanding your organisationrsquos information where it is and how it is used
― Identifying the main risks to physical and information assets
― Ensuring that the right measures are adopted to mitigate risk to within acceptable levels ndash balancing cost versus risk
Get back to basics ndash governance foundations
Unless the foundations of good information and security governance are working well any investment in security technology will most likely be wasted Fundamental areas for focus are
― Staff security training and awareness
― Robust oversight and management of third party suppliers
― Software amp hardware patch management
― Intelligent management amp admin of user access
― Clear policies on security acceptable system use and social media
People Process Tools In that order
Get back to basics ndash making it work
For effective and sustainable governance
― Setting maintaining and continuing to evolve the ldquotone at the toprdquo
― Monitoring of information risk management by the Board of Directors
― Ongoing practical and relevant awareness training
― Independent assurance
― Regular risk-based security testing Inside and outside the perimeter
What happens if a security breach occurs
― If a security breach occurs organisations that follow clearly documented plans to reduce the impact of the breach have a much better chance of staying out of the law courts and avoiding punishment
― Most organisations unfortunately dont have good systems for actually managing the problem If a breach occurs the law is really concerned with your behaviour at that point in time You cant unravel the past and pretend the breach didnt occur its what you do from that point on that will determine your culpability
― On top of having well documented systems and procedures organisations need to have clearly defined actions for dealing with a breach and limiting the damage to those affected This is likely to involve multiple disciplines that could include information security specialists IT resources a PR agency legal advice and credit reporting services
― If you adopt an honourable stance from the outset doing the right thing at the right time then your legal team is in a very strong position to defend you to the regulator arguing that youre not the kind of organisation that has the profile that requires all of the effect of the law and therefore the punishment
How to protect organisations from security breaches
― Take some basic steps to build a protective shieldrdquo most notably― Build a single unified security policy
― Ensure information security forms part of any contract initiation
― Make security part of the process when any project is initiated
― Employee adequacy ndash ensure you have processes for handling new employees changes of job and for employees exiting the company show that they were made aware of security requirements
― Third-party assurance ndash have processes in place to guard information held by third parties
― Culture ndash have a managerial structure in place that demonstrates a chain of responsibility for handling security and reporting errors― lsquoTone at the toprsquo
― Shared ownership of good practices
― Openness amp transparency ndash continuous improvement
State of the Nation ndash addressing Cyber RiskFour golden rules our plan is founded upon
Over 75 of attacks exploit failures to put in place basic controls
Get the basics right
You have to prioritize where you spend your money to defend yourself so build a fortress
around your most critical asset
Look after the crown jewels
Invest in understanding who might attack you why and how so that you can anticipate the most likely scenarios and defend those assets that are
most likely to get attacked
Do your homework on your enemies
Security and resilience can affect nearly every part of an organization Strategies to protect IT
security and business resiliency should align with an organizationrsquos broader goals ndash from protecting intellectual property to maximizing productivity to
finding new ways to delight customers
Treat cyber risk as an opportunity to look closely at your business
Solving the big lsquoBoard reporting problemrsquo in cyberJon Hawes Security Intelligence Strategist Panaseer
Cyber security insuranceGraeme Newman Chief Innovation OfficerCFC
Tackling the insider threatGarath Lauder Director CyberseerTed Plumis Vice President of Channels and Corporate Development Exabeam
Social engineering the art of the conRob Shapland Penetration Testing Team Manager First Base Technologies
Cryptography Basics Dr David Weston Lecturer in Computer Science and Information SystemsBirkbeck University of London
Tokens Honeypots Idenitfication Authorisation Services Ray Dalgarno Director CYBERCAST
Trust with ldquoTHISrdquo
TokensHoneypots
Identification Authorisation ServicesThe Confluence
Agenda
Warfare
Attack Surface Attribution Residency Deniability
Honeypots amp Tokens
Identification and Authorisation
Conclusion
WarfareSecurity through obscurity ndash
the reason the armed forces adopt camouflage
NHS Cyber Attacks ndash The Telegraph 1st Nov 2016
ldquohelliphacking is no longer the stuff of spy thrillers and action movies but a clear and present threathelliprdquo
ldquohellipBen Gummer minister for Cabinet says that large quantities of sensitive data held by the NHS and the Government is being targeted by hackershelliprdquo
ldquohellipMinisters will also unveil a Cyber Security Research Institute a virtual collection of UK universities which will work towards making passwords obsoletehelliprdquo
Cyber Fraud
ldquohellipOnline fraudsters stole pound109bn in the UK last yearhelliprdquo
ldquohellip39 (of respondents) questioned by ldquoGet Safe Onlinerdquo said they were a victim of cybercrime but did not report ithelliprdquo
ldquohellip53 received phishing messageshelliprdquo
Extract from The Telegraph 20th October 2016
Cyber Crime is a War ZoneldquoRouse him and learn the principle of his activity or inactivity Force him to reveal himself so as to find out his vulnerable spotsrdquoldquoIf you know the enemy and know yourself you need not fear the results of a hundred battlesrdquo
- Sun Tzu Military General Strategist amp Philosopher 5th Century BC ChinaDeception is a powerful effective but under utilised tool ndash (at least by defenders)
Full range of ldquoeffectsrdquo on adversaries possible through deception
Effects Attacker Defender
Fail to observe
Prevent the defender from detecting the attack Prevent the attacker from discovering their target
Reveal
Trick the defender into providing access Trick the attacker into revealing their presence
Waste Time
Focus the defenderrsquos attention on the wrong aspects of the incident
Focus the attackerrsquos efforts on the wrong target
Deception Effects - Attacker amp Defender
Operation Mincemeat - 1943
Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
Operation Mincemeat - 1943Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
This was accomplished by persuading the Germans that they had by accident intercepted top secret documents giving details of Allied war plans
Attack Surface Attribution Residency
DeniabilityFrom the living room to the boardroom
Attack Surface
From ordinary consumers to a single-office business through the regulatory bodies to the national and global giants
The environment dictates the approach ndash no ldquoSilver Bulletrdquo
Layered security ndash combining multiple mitigating security controls to cost effectively protect resources amp data
Attack AttributionAt which point in the attack do you realise that you have been hacked
TalkTalk DNC Yahoo
There are very few ldquosmoking gunsrdquo visible
Attacks that often begin with broadly targeted phishing that can introduce amp run new binaries on victims networks amp that connect to random internal hosts using exfiltrated credentials can still remain hidden for a year
Examples of Global IT Vendorsrsquo Vulnerabilities
Microsoft Microsoft August (2016) Patch Tuesday included five updates rated
critical out of a total of nine bringing the number of patches for the year-to-date at 103
SAP There are vulnerabilities in almost every SAP module CRM EP and SRM
are leaders among them ERPScan SAP Cyber Threat Report2016
Oracle MICROS (and others) In total more than one million PoS terminals around the world could be
at risk should the attacks prove to have been deeper than the companies are currently publicly admitting
Computing Aug
Dwell TimeResidency
Mandiant reported that attackers on average lurked on a network for 205 days before being discoveredsup1
Microsoft recently reported they place the number at more than 200 days to detect a security breach and 80 days to contain itsup2
1 httpswww2fireeyecomrsfireyeimagesrpt-m-trends-2015pdf2 httpsblogswindowscomwindowsexperience20160301announcing-windows-defender-advanced-threat-protection
Plausible Deniability amp Malware Intrusion
Plausible deniability refers to circumstances where a denial of responsibility or knowledge of wrong doing cannot be proved as true or untrue due to a lack of evidence proving the allegation
It is a basic law for the cheat and the deceiver Be able to offer up an excuse that cannot be disproved easily and that makes sense for the situation
Trickle-down Effects
Increasing rapidity of car-trickle-down yester-yearsrsquo top end car innovations eventually migrate through the models becoming standard options in lower-priced vehicles
This pattern of innovation holds true in virtually every field including cyber- security
Malware as a Service (MaaS) ndash moving from the heavily funded specialist cyber experts down into the mass market
MaaS now commonly available at very low cost through the darknet and sites such TOR I2p
Honeypots amp TokensEvolution Mimicry
Honeypots
Venus Flytrap in Action (triggered honeypot)
Trojan Horse (passive honeypot) Greeks built used to enter the city of Troy and win the 10 year Trojan war - 4th Century story
Cartography A trap street (passive honeypot) is a fictitious entry in the form of a misrepresented street for the purpose of trapping potential copyright violators
Tempting - moneypot
All minehelliphelliphellip
Ooops
Honeypot Principle
Focus on detecting threats Here wersquod like to know immediately someone has broken into the network
and in places they shouldnrsquot be
Ensure the honeypot looks appealing to the attacker The honeypot must look legitimate amp enticing
In this attack scenario the defender has particular advantage Once attackers initially land inside your internal network theyrsquore at a
disadvantage They donrsquot know the lay of the land and they need to explore it (reconnaissance) while remaining hidden
Defence through Deception
Deception is a highly effective solution for protecting environments used to confuse delay and redirect the enemy
Lured to the Canary Honeypot the attacker will be tricked into engaging with that device and believe they are being successful in their attack
Canary ndash Today and Tomorrow
Canary - great for remote sites but what about our VM data centres
What about integration with established enterprise monitoring frameworks such as Openview CA or Microsoft SCOM
Console management limit on the number of deployed Canaries
Are ldquoCanarytokensrdquo part of tomorrowrsquos planning
Identification amp Authorisation
A new way forward
TokensTokens - In general a token is an object that represents something else such as another object (either physical or virtual) or an abstract concept In computer systems there are a number of types of tokens both hardware and software
In human terms a token of trust can exist between two parties with such levels of trust reinforced through personal introductions with other partiesA token generation amp management platform designed specifically for high security multi-services in public and private clouds
greatly enhances trustworthy information handling
Identification with Passwords Any directory service or managementplatform holding passwords becomes atarget by the attacker for credentialsrsquo theft
Passwords are fundamentally flawed Often easy to guess Are reused across different services Are written down or stored or shared Can be intercepted Are expensive to maintain 29 of all cybercrime is from stolen
passwords
Identification WITHOUT Password
The Problem The password has outlived itrsquos usefulness
Secure Cloudlinkrsquos Response Patented and highly secure tokenised message management
solution assures password redundancy User credentials are not transmitted stored or replicated Secure digital services - a snap for the user
Randomised encrypted key generation ndashno consistent key to be stolen
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
SamSam ndash March 2016
Vulnerable Systems
32 million lsquoat riskrsquo machinesScan for JBoss vulnerability
CVE-2010-0738
Install web shell
2100 installed web shells
A Future Ransomware Model
Establish initial access
Escalate privileges
Identify critical
systemsInstall
ransomwareCollect
payment
Scan for vulnerabilitie
sMaximising lost value for the victimMinimising costs for the attacker
wwwtalosintelligencecomblogtalosintelcom
talossecurity
martinleciscocom
Incident response what to do in the event of a cyber breachMark Child Managing Director andNeil May Senior Manager Technology Risk ManagementGLE Consulting Limited
What To Do In The Event of A Cyber Breach
Incident Response
ICSA THE GOVERNANCE INSTITUTE 4TH NOVEMBER 2016
You might be feeling a bit like thishellip
Rabbit in the headlights
Or depending on your boardhellip
Possibly like this
The big question is hellip
Is this really an entirely new threat that we are facing
Our view
But there are some trends
― We are noticing more and larger breaches
― Breaches and data leaks are making the news ndash there is public media and regulatory interest
― The criminals are getting smarter
The threat is NOT new
lsquoCyberrsquo is a convenient label for information risk in the 21st Century
Our view ndash how do we respond
Pursue a strategy of defence-in-depth
Avoid our historic fixation on lsquothe perimeterrsquo This is not a purely technical problem
The solution is not necessarily a technical one Technical controls remain key
The weakest links are likely to beYour people
Your third party suppliers amp partners
And
So
But
Summary
― lsquoCyber threatrsquo is nothing new ndash in our view
― But it is serious
― Target defence in depth
― Staff contractors and suppliers are now your weakest link
― Get back to basics on information governance
― Apply technology solutions intelligently to support amp enable
History quiz
History quiz
Just how successful was it
Not very successful at
all
Perception versus reality
We think we are building thishellip
But we have potentially built thishellip
Case studies ndash poor practices
― October 2015
― Cause Simple (and old) technical exploit (executed by a 15 year-old boy)
― Immediate result 150000 customer records stolen (0ver 15000 full bank details)
― Incidentcrisis management extremely poor― CEO unprepared amp poorly briefed
― Scope of breach massively over-estimated
― Response ill-judged (500000 customers given lsquofree upgradersquo)
― Impacts― REPUTATION ndash Lost 95000 customers in year 1
― FINANCIAL ndash Current financial cost estimated at pound60m
― REGULATORY ndash Formally sanctioned by ICO (Fined 400k)
Case studies ndash insider threat
― December 2014
― Cause Malicious software deployed via lsquophishingrsquo attack used to obtain IDs and passwords
― Politically motivated
― Immediate result 100 terabytes of data stolen (the whole of the ldquocoukrdquo domain is only 68 Tb)
― Data included entire movies financials staff data salary data email records
― Data posted on the internet for download
― Impacts― REPUTATION ndash Deputy CEO forced to resign due to damaging email content
― FINANCIAL ndash Current financial cost estimated at $15m (impact reduced byinsurances and managed legal response)
Case studies ndash third party
― Spring 2014
― Cause Security compromise at third party AirCon and Ventilation contractor ndash access gained to Targetrsquos network
― Immediate result 70m customer records and 40m credit card records harvested across 1797 stores over extended period
― Data downloaded by criminals in Russia
― Impacts― FINANCIAL ndash Current financial cost to Target estimated at $61m (Industry-wide costs estimated at
$200m)
Get back to basics
― Itrsquos not just about the enemy at the gates (ie the perimeter)
― The perimeter is hard to define these days
― We cannot rely solely upon prevention ndash our detection and response capability must improve
We need to take the threat seriously
Get back to basics
― Technology and tools of the highest quality can be undermined by weaknesses in basic security practices
― Or by a flawed corporate culture
― CyberInformation risk is a problem for the entire business to resolve ndash not just IT
― Todayrsquos cyber criminals recognise this and exploit it by adopting a range of approaches which step away from the purely technical and exploit weaknesses in the way that organisations manage control and interact with their information
― A full frontal assault is unlikely to be profitable ndash an attacker will target compromise from the inside And they can be very patient
Get back to basics
Fundamentally addressing the Cyber Threat means going back to basics looking again at your organisation and the controls you already have
― Understanding your people ndash what threats do they pose After all there is no patch for stupidity
― Understanding your organisationrsquos information where it is and how it is used
― Identifying the main risks to physical and information assets
― Ensuring that the right measures are adopted to mitigate risk to within acceptable levels ndash balancing cost versus risk
Get back to basics ndash governance foundations
Unless the foundations of good information and security governance are working well any investment in security technology will most likely be wasted Fundamental areas for focus are
― Staff security training and awareness
― Robust oversight and management of third party suppliers
― Software amp hardware patch management
― Intelligent management amp admin of user access
― Clear policies on security acceptable system use and social media
People Process Tools In that order
Get back to basics ndash making it work
For effective and sustainable governance
― Setting maintaining and continuing to evolve the ldquotone at the toprdquo
― Monitoring of information risk management by the Board of Directors
― Ongoing practical and relevant awareness training
― Independent assurance
― Regular risk-based security testing Inside and outside the perimeter
What happens if a security breach occurs
― If a security breach occurs organisations that follow clearly documented plans to reduce the impact of the breach have a much better chance of staying out of the law courts and avoiding punishment
― Most organisations unfortunately dont have good systems for actually managing the problem If a breach occurs the law is really concerned with your behaviour at that point in time You cant unravel the past and pretend the breach didnt occur its what you do from that point on that will determine your culpability
― On top of having well documented systems and procedures organisations need to have clearly defined actions for dealing with a breach and limiting the damage to those affected This is likely to involve multiple disciplines that could include information security specialists IT resources a PR agency legal advice and credit reporting services
― If you adopt an honourable stance from the outset doing the right thing at the right time then your legal team is in a very strong position to defend you to the regulator arguing that youre not the kind of organisation that has the profile that requires all of the effect of the law and therefore the punishment
How to protect organisations from security breaches
― Take some basic steps to build a protective shieldrdquo most notably― Build a single unified security policy
― Ensure information security forms part of any contract initiation
― Make security part of the process when any project is initiated
― Employee adequacy ndash ensure you have processes for handling new employees changes of job and for employees exiting the company show that they were made aware of security requirements
― Third-party assurance ndash have processes in place to guard information held by third parties
― Culture ndash have a managerial structure in place that demonstrates a chain of responsibility for handling security and reporting errors― lsquoTone at the toprsquo
― Shared ownership of good practices
― Openness amp transparency ndash continuous improvement
State of the Nation ndash addressing Cyber RiskFour golden rules our plan is founded upon
Over 75 of attacks exploit failures to put in place basic controls
Get the basics right
You have to prioritize where you spend your money to defend yourself so build a fortress
around your most critical asset
Look after the crown jewels
Invest in understanding who might attack you why and how so that you can anticipate the most likely scenarios and defend those assets that are
most likely to get attacked
Do your homework on your enemies
Security and resilience can affect nearly every part of an organization Strategies to protect IT
security and business resiliency should align with an organizationrsquos broader goals ndash from protecting intellectual property to maximizing productivity to
finding new ways to delight customers
Treat cyber risk as an opportunity to look closely at your business
Solving the big lsquoBoard reporting problemrsquo in cyberJon Hawes Security Intelligence Strategist Panaseer
Cyber security insuranceGraeme Newman Chief Innovation OfficerCFC
Tackling the insider threatGarath Lauder Director CyberseerTed Plumis Vice President of Channels and Corporate Development Exabeam
Social engineering the art of the conRob Shapland Penetration Testing Team Manager First Base Technologies
Cryptography Basics Dr David Weston Lecturer in Computer Science and Information SystemsBirkbeck University of London
Tokens Honeypots Idenitfication Authorisation Services Ray Dalgarno Director CYBERCAST
Trust with ldquoTHISrdquo
TokensHoneypots
Identification Authorisation ServicesThe Confluence
Agenda
Warfare
Attack Surface Attribution Residency Deniability
Honeypots amp Tokens
Identification and Authorisation
Conclusion
WarfareSecurity through obscurity ndash
the reason the armed forces adopt camouflage
NHS Cyber Attacks ndash The Telegraph 1st Nov 2016
ldquohelliphacking is no longer the stuff of spy thrillers and action movies but a clear and present threathelliprdquo
ldquohellipBen Gummer minister for Cabinet says that large quantities of sensitive data held by the NHS and the Government is being targeted by hackershelliprdquo
ldquohellipMinisters will also unveil a Cyber Security Research Institute a virtual collection of UK universities which will work towards making passwords obsoletehelliprdquo
Cyber Fraud
ldquohellipOnline fraudsters stole pound109bn in the UK last yearhelliprdquo
ldquohellip39 (of respondents) questioned by ldquoGet Safe Onlinerdquo said they were a victim of cybercrime but did not report ithelliprdquo
ldquohellip53 received phishing messageshelliprdquo
Extract from The Telegraph 20th October 2016
Cyber Crime is a War ZoneldquoRouse him and learn the principle of his activity or inactivity Force him to reveal himself so as to find out his vulnerable spotsrdquoldquoIf you know the enemy and know yourself you need not fear the results of a hundred battlesrdquo
- Sun Tzu Military General Strategist amp Philosopher 5th Century BC ChinaDeception is a powerful effective but under utilised tool ndash (at least by defenders)
Full range of ldquoeffectsrdquo on adversaries possible through deception
Effects Attacker Defender
Fail to observe
Prevent the defender from detecting the attack Prevent the attacker from discovering their target
Reveal
Trick the defender into providing access Trick the attacker into revealing their presence
Waste Time
Focus the defenderrsquos attention on the wrong aspects of the incident
Focus the attackerrsquos efforts on the wrong target
Deception Effects - Attacker amp Defender
Operation Mincemeat - 1943
Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
Operation Mincemeat - 1943Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
This was accomplished by persuading the Germans that they had by accident intercepted top secret documents giving details of Allied war plans
Attack Surface Attribution Residency
DeniabilityFrom the living room to the boardroom
Attack Surface
From ordinary consumers to a single-office business through the regulatory bodies to the national and global giants
The environment dictates the approach ndash no ldquoSilver Bulletrdquo
Layered security ndash combining multiple mitigating security controls to cost effectively protect resources amp data
Attack AttributionAt which point in the attack do you realise that you have been hacked
TalkTalk DNC Yahoo
There are very few ldquosmoking gunsrdquo visible
Attacks that often begin with broadly targeted phishing that can introduce amp run new binaries on victims networks amp that connect to random internal hosts using exfiltrated credentials can still remain hidden for a year
Examples of Global IT Vendorsrsquo Vulnerabilities
Microsoft Microsoft August (2016) Patch Tuesday included five updates rated
critical out of a total of nine bringing the number of patches for the year-to-date at 103
SAP There are vulnerabilities in almost every SAP module CRM EP and SRM
are leaders among them ERPScan SAP Cyber Threat Report2016
Oracle MICROS (and others) In total more than one million PoS terminals around the world could be
at risk should the attacks prove to have been deeper than the companies are currently publicly admitting
Computing Aug
Dwell TimeResidency
Mandiant reported that attackers on average lurked on a network for 205 days before being discoveredsup1
Microsoft recently reported they place the number at more than 200 days to detect a security breach and 80 days to contain itsup2
1 httpswww2fireeyecomrsfireyeimagesrpt-m-trends-2015pdf2 httpsblogswindowscomwindowsexperience20160301announcing-windows-defender-advanced-threat-protection
Plausible Deniability amp Malware Intrusion
Plausible deniability refers to circumstances where a denial of responsibility or knowledge of wrong doing cannot be proved as true or untrue due to a lack of evidence proving the allegation
It is a basic law for the cheat and the deceiver Be able to offer up an excuse that cannot be disproved easily and that makes sense for the situation
Trickle-down Effects
Increasing rapidity of car-trickle-down yester-yearsrsquo top end car innovations eventually migrate through the models becoming standard options in lower-priced vehicles
This pattern of innovation holds true in virtually every field including cyber- security
Malware as a Service (MaaS) ndash moving from the heavily funded specialist cyber experts down into the mass market
MaaS now commonly available at very low cost through the darknet and sites such TOR I2p
Honeypots amp TokensEvolution Mimicry
Honeypots
Venus Flytrap in Action (triggered honeypot)
Trojan Horse (passive honeypot) Greeks built used to enter the city of Troy and win the 10 year Trojan war - 4th Century story
Cartography A trap street (passive honeypot) is a fictitious entry in the form of a misrepresented street for the purpose of trapping potential copyright violators
Tempting - moneypot
All minehelliphelliphellip
Ooops
Honeypot Principle
Focus on detecting threats Here wersquod like to know immediately someone has broken into the network
and in places they shouldnrsquot be
Ensure the honeypot looks appealing to the attacker The honeypot must look legitimate amp enticing
In this attack scenario the defender has particular advantage Once attackers initially land inside your internal network theyrsquore at a
disadvantage They donrsquot know the lay of the land and they need to explore it (reconnaissance) while remaining hidden
Defence through Deception
Deception is a highly effective solution for protecting environments used to confuse delay and redirect the enemy
Lured to the Canary Honeypot the attacker will be tricked into engaging with that device and believe they are being successful in their attack
Canary ndash Today and Tomorrow
Canary - great for remote sites but what about our VM data centres
What about integration with established enterprise monitoring frameworks such as Openview CA or Microsoft SCOM
Console management limit on the number of deployed Canaries
Are ldquoCanarytokensrdquo part of tomorrowrsquos planning
Identification amp Authorisation
A new way forward
TokensTokens - In general a token is an object that represents something else such as another object (either physical or virtual) or an abstract concept In computer systems there are a number of types of tokens both hardware and software
In human terms a token of trust can exist between two parties with such levels of trust reinforced through personal introductions with other partiesA token generation amp management platform designed specifically for high security multi-services in public and private clouds
greatly enhances trustworthy information handling
Identification with Passwords Any directory service or managementplatform holding passwords becomes atarget by the attacker for credentialsrsquo theft
Passwords are fundamentally flawed Often easy to guess Are reused across different services Are written down or stored or shared Can be intercepted Are expensive to maintain 29 of all cybercrime is from stolen
passwords
Identification WITHOUT Password
The Problem The password has outlived itrsquos usefulness
Secure Cloudlinkrsquos Response Patented and highly secure tokenised message management
solution assures password redundancy User credentials are not transmitted stored or replicated Secure digital services - a snap for the user
Randomised encrypted key generation ndashno consistent key to be stolen
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
Vulnerable Systems
32 million lsquoat riskrsquo machinesScan for JBoss vulnerability
CVE-2010-0738
Install web shell
2100 installed web shells
A Future Ransomware Model
Establish initial access
Escalate privileges
Identify critical
systemsInstall
ransomwareCollect
payment
Scan for vulnerabilitie
sMaximising lost value for the victimMinimising costs for the attacker
wwwtalosintelligencecomblogtalosintelcom
talossecurity
martinleciscocom
Incident response what to do in the event of a cyber breachMark Child Managing Director andNeil May Senior Manager Technology Risk ManagementGLE Consulting Limited
What To Do In The Event of A Cyber Breach
Incident Response
ICSA THE GOVERNANCE INSTITUTE 4TH NOVEMBER 2016
You might be feeling a bit like thishellip
Rabbit in the headlights
Or depending on your boardhellip
Possibly like this
The big question is hellip
Is this really an entirely new threat that we are facing
Our view
But there are some trends
― We are noticing more and larger breaches
― Breaches and data leaks are making the news ndash there is public media and regulatory interest
― The criminals are getting smarter
The threat is NOT new
lsquoCyberrsquo is a convenient label for information risk in the 21st Century
Our view ndash how do we respond
Pursue a strategy of defence-in-depth
Avoid our historic fixation on lsquothe perimeterrsquo This is not a purely technical problem
The solution is not necessarily a technical one Technical controls remain key
The weakest links are likely to beYour people
Your third party suppliers amp partners
And
So
But
Summary
― lsquoCyber threatrsquo is nothing new ndash in our view
― But it is serious
― Target defence in depth
― Staff contractors and suppliers are now your weakest link
― Get back to basics on information governance
― Apply technology solutions intelligently to support amp enable
History quiz
History quiz
Just how successful was it
Not very successful at
all
Perception versus reality
We think we are building thishellip
But we have potentially built thishellip
Case studies ndash poor practices
― October 2015
― Cause Simple (and old) technical exploit (executed by a 15 year-old boy)
― Immediate result 150000 customer records stolen (0ver 15000 full bank details)
― Incidentcrisis management extremely poor― CEO unprepared amp poorly briefed
― Scope of breach massively over-estimated
― Response ill-judged (500000 customers given lsquofree upgradersquo)
― Impacts― REPUTATION ndash Lost 95000 customers in year 1
― FINANCIAL ndash Current financial cost estimated at pound60m
― REGULATORY ndash Formally sanctioned by ICO (Fined 400k)
Case studies ndash insider threat
― December 2014
― Cause Malicious software deployed via lsquophishingrsquo attack used to obtain IDs and passwords
― Politically motivated
― Immediate result 100 terabytes of data stolen (the whole of the ldquocoukrdquo domain is only 68 Tb)
― Data included entire movies financials staff data salary data email records
― Data posted on the internet for download
― Impacts― REPUTATION ndash Deputy CEO forced to resign due to damaging email content
― FINANCIAL ndash Current financial cost estimated at $15m (impact reduced byinsurances and managed legal response)
Case studies ndash third party
― Spring 2014
― Cause Security compromise at third party AirCon and Ventilation contractor ndash access gained to Targetrsquos network
― Immediate result 70m customer records and 40m credit card records harvested across 1797 stores over extended period
― Data downloaded by criminals in Russia
― Impacts― FINANCIAL ndash Current financial cost to Target estimated at $61m (Industry-wide costs estimated at
$200m)
Get back to basics
― Itrsquos not just about the enemy at the gates (ie the perimeter)
― The perimeter is hard to define these days
― We cannot rely solely upon prevention ndash our detection and response capability must improve
We need to take the threat seriously
Get back to basics
― Technology and tools of the highest quality can be undermined by weaknesses in basic security practices
― Or by a flawed corporate culture
― CyberInformation risk is a problem for the entire business to resolve ndash not just IT
― Todayrsquos cyber criminals recognise this and exploit it by adopting a range of approaches which step away from the purely technical and exploit weaknesses in the way that organisations manage control and interact with their information
― A full frontal assault is unlikely to be profitable ndash an attacker will target compromise from the inside And they can be very patient
Get back to basics
Fundamentally addressing the Cyber Threat means going back to basics looking again at your organisation and the controls you already have
― Understanding your people ndash what threats do they pose After all there is no patch for stupidity
― Understanding your organisationrsquos information where it is and how it is used
― Identifying the main risks to physical and information assets
― Ensuring that the right measures are adopted to mitigate risk to within acceptable levels ndash balancing cost versus risk
Get back to basics ndash governance foundations
Unless the foundations of good information and security governance are working well any investment in security technology will most likely be wasted Fundamental areas for focus are
― Staff security training and awareness
― Robust oversight and management of third party suppliers
― Software amp hardware patch management
― Intelligent management amp admin of user access
― Clear policies on security acceptable system use and social media
People Process Tools In that order
Get back to basics ndash making it work
For effective and sustainable governance
― Setting maintaining and continuing to evolve the ldquotone at the toprdquo
― Monitoring of information risk management by the Board of Directors
― Ongoing practical and relevant awareness training
― Independent assurance
― Regular risk-based security testing Inside and outside the perimeter
What happens if a security breach occurs
― If a security breach occurs organisations that follow clearly documented plans to reduce the impact of the breach have a much better chance of staying out of the law courts and avoiding punishment
― Most organisations unfortunately dont have good systems for actually managing the problem If a breach occurs the law is really concerned with your behaviour at that point in time You cant unravel the past and pretend the breach didnt occur its what you do from that point on that will determine your culpability
― On top of having well documented systems and procedures organisations need to have clearly defined actions for dealing with a breach and limiting the damage to those affected This is likely to involve multiple disciplines that could include information security specialists IT resources a PR agency legal advice and credit reporting services
― If you adopt an honourable stance from the outset doing the right thing at the right time then your legal team is in a very strong position to defend you to the regulator arguing that youre not the kind of organisation that has the profile that requires all of the effect of the law and therefore the punishment
How to protect organisations from security breaches
― Take some basic steps to build a protective shieldrdquo most notably― Build a single unified security policy
― Ensure information security forms part of any contract initiation
― Make security part of the process when any project is initiated
― Employee adequacy ndash ensure you have processes for handling new employees changes of job and for employees exiting the company show that they were made aware of security requirements
― Third-party assurance ndash have processes in place to guard information held by third parties
― Culture ndash have a managerial structure in place that demonstrates a chain of responsibility for handling security and reporting errors― lsquoTone at the toprsquo
― Shared ownership of good practices
― Openness amp transparency ndash continuous improvement
State of the Nation ndash addressing Cyber RiskFour golden rules our plan is founded upon
Over 75 of attacks exploit failures to put in place basic controls
Get the basics right
You have to prioritize where you spend your money to defend yourself so build a fortress
around your most critical asset
Look after the crown jewels
Invest in understanding who might attack you why and how so that you can anticipate the most likely scenarios and defend those assets that are
most likely to get attacked
Do your homework on your enemies
Security and resilience can affect nearly every part of an organization Strategies to protect IT
security and business resiliency should align with an organizationrsquos broader goals ndash from protecting intellectual property to maximizing productivity to
finding new ways to delight customers
Treat cyber risk as an opportunity to look closely at your business
Solving the big lsquoBoard reporting problemrsquo in cyberJon Hawes Security Intelligence Strategist Panaseer
Cyber security insuranceGraeme Newman Chief Innovation OfficerCFC
Tackling the insider threatGarath Lauder Director CyberseerTed Plumis Vice President of Channels and Corporate Development Exabeam
Social engineering the art of the conRob Shapland Penetration Testing Team Manager First Base Technologies
Cryptography Basics Dr David Weston Lecturer in Computer Science and Information SystemsBirkbeck University of London
Tokens Honeypots Idenitfication Authorisation Services Ray Dalgarno Director CYBERCAST
Trust with ldquoTHISrdquo
TokensHoneypots
Identification Authorisation ServicesThe Confluence
Agenda
Warfare
Attack Surface Attribution Residency Deniability
Honeypots amp Tokens
Identification and Authorisation
Conclusion
WarfareSecurity through obscurity ndash
the reason the armed forces adopt camouflage
NHS Cyber Attacks ndash The Telegraph 1st Nov 2016
ldquohelliphacking is no longer the stuff of spy thrillers and action movies but a clear and present threathelliprdquo
ldquohellipBen Gummer minister for Cabinet says that large quantities of sensitive data held by the NHS and the Government is being targeted by hackershelliprdquo
ldquohellipMinisters will also unveil a Cyber Security Research Institute a virtual collection of UK universities which will work towards making passwords obsoletehelliprdquo
Cyber Fraud
ldquohellipOnline fraudsters stole pound109bn in the UK last yearhelliprdquo
ldquohellip39 (of respondents) questioned by ldquoGet Safe Onlinerdquo said they were a victim of cybercrime but did not report ithelliprdquo
ldquohellip53 received phishing messageshelliprdquo
Extract from The Telegraph 20th October 2016
Cyber Crime is a War ZoneldquoRouse him and learn the principle of his activity or inactivity Force him to reveal himself so as to find out his vulnerable spotsrdquoldquoIf you know the enemy and know yourself you need not fear the results of a hundred battlesrdquo
- Sun Tzu Military General Strategist amp Philosopher 5th Century BC ChinaDeception is a powerful effective but under utilised tool ndash (at least by defenders)
Full range of ldquoeffectsrdquo on adversaries possible through deception
Effects Attacker Defender
Fail to observe
Prevent the defender from detecting the attack Prevent the attacker from discovering their target
Reveal
Trick the defender into providing access Trick the attacker into revealing their presence
Waste Time
Focus the defenderrsquos attention on the wrong aspects of the incident
Focus the attackerrsquos efforts on the wrong target
Deception Effects - Attacker amp Defender
Operation Mincemeat - 1943
Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
Operation Mincemeat - 1943Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
This was accomplished by persuading the Germans that they had by accident intercepted top secret documents giving details of Allied war plans
Attack Surface Attribution Residency
DeniabilityFrom the living room to the boardroom
Attack Surface
From ordinary consumers to a single-office business through the regulatory bodies to the national and global giants
The environment dictates the approach ndash no ldquoSilver Bulletrdquo
Layered security ndash combining multiple mitigating security controls to cost effectively protect resources amp data
Attack AttributionAt which point in the attack do you realise that you have been hacked
TalkTalk DNC Yahoo
There are very few ldquosmoking gunsrdquo visible
Attacks that often begin with broadly targeted phishing that can introduce amp run new binaries on victims networks amp that connect to random internal hosts using exfiltrated credentials can still remain hidden for a year
Examples of Global IT Vendorsrsquo Vulnerabilities
Microsoft Microsoft August (2016) Patch Tuesday included five updates rated
critical out of a total of nine bringing the number of patches for the year-to-date at 103
SAP There are vulnerabilities in almost every SAP module CRM EP and SRM
are leaders among them ERPScan SAP Cyber Threat Report2016
Oracle MICROS (and others) In total more than one million PoS terminals around the world could be
at risk should the attacks prove to have been deeper than the companies are currently publicly admitting
Computing Aug
Dwell TimeResidency
Mandiant reported that attackers on average lurked on a network for 205 days before being discoveredsup1
Microsoft recently reported they place the number at more than 200 days to detect a security breach and 80 days to contain itsup2
1 httpswww2fireeyecomrsfireyeimagesrpt-m-trends-2015pdf2 httpsblogswindowscomwindowsexperience20160301announcing-windows-defender-advanced-threat-protection
Plausible Deniability amp Malware Intrusion
Plausible deniability refers to circumstances where a denial of responsibility or knowledge of wrong doing cannot be proved as true or untrue due to a lack of evidence proving the allegation
It is a basic law for the cheat and the deceiver Be able to offer up an excuse that cannot be disproved easily and that makes sense for the situation
Trickle-down Effects
Increasing rapidity of car-trickle-down yester-yearsrsquo top end car innovations eventually migrate through the models becoming standard options in lower-priced vehicles
This pattern of innovation holds true in virtually every field including cyber- security
Malware as a Service (MaaS) ndash moving from the heavily funded specialist cyber experts down into the mass market
MaaS now commonly available at very low cost through the darknet and sites such TOR I2p
Honeypots amp TokensEvolution Mimicry
Honeypots
Venus Flytrap in Action (triggered honeypot)
Trojan Horse (passive honeypot) Greeks built used to enter the city of Troy and win the 10 year Trojan war - 4th Century story
Cartography A trap street (passive honeypot) is a fictitious entry in the form of a misrepresented street for the purpose of trapping potential copyright violators
Tempting - moneypot
All minehelliphelliphellip
Ooops
Honeypot Principle
Focus on detecting threats Here wersquod like to know immediately someone has broken into the network
and in places they shouldnrsquot be
Ensure the honeypot looks appealing to the attacker The honeypot must look legitimate amp enticing
In this attack scenario the defender has particular advantage Once attackers initially land inside your internal network theyrsquore at a
disadvantage They donrsquot know the lay of the land and they need to explore it (reconnaissance) while remaining hidden
Defence through Deception
Deception is a highly effective solution for protecting environments used to confuse delay and redirect the enemy
Lured to the Canary Honeypot the attacker will be tricked into engaging with that device and believe they are being successful in their attack
Canary ndash Today and Tomorrow
Canary - great for remote sites but what about our VM data centres
What about integration with established enterprise monitoring frameworks such as Openview CA or Microsoft SCOM
Console management limit on the number of deployed Canaries
Are ldquoCanarytokensrdquo part of tomorrowrsquos planning
Identification amp Authorisation
A new way forward
TokensTokens - In general a token is an object that represents something else such as another object (either physical or virtual) or an abstract concept In computer systems there are a number of types of tokens both hardware and software
In human terms a token of trust can exist between two parties with such levels of trust reinforced through personal introductions with other partiesA token generation amp management platform designed specifically for high security multi-services in public and private clouds
greatly enhances trustworthy information handling
Identification with Passwords Any directory service or managementplatform holding passwords becomes atarget by the attacker for credentialsrsquo theft
Passwords are fundamentally flawed Often easy to guess Are reused across different services Are written down or stored or shared Can be intercepted Are expensive to maintain 29 of all cybercrime is from stolen
passwords
Identification WITHOUT Password
The Problem The password has outlived itrsquos usefulness
Secure Cloudlinkrsquos Response Patented and highly secure tokenised message management
solution assures password redundancy User credentials are not transmitted stored or replicated Secure digital services - a snap for the user
Randomised encrypted key generation ndashno consistent key to be stolen
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
A Future Ransomware Model
Establish initial access
Escalate privileges
Identify critical
systemsInstall
ransomwareCollect
payment
Scan for vulnerabilitie
sMaximising lost value for the victimMinimising costs for the attacker
wwwtalosintelligencecomblogtalosintelcom
talossecurity
martinleciscocom
Incident response what to do in the event of a cyber breachMark Child Managing Director andNeil May Senior Manager Technology Risk ManagementGLE Consulting Limited
What To Do In The Event of A Cyber Breach
Incident Response
ICSA THE GOVERNANCE INSTITUTE 4TH NOVEMBER 2016
You might be feeling a bit like thishellip
Rabbit in the headlights
Or depending on your boardhellip
Possibly like this
The big question is hellip
Is this really an entirely new threat that we are facing
Our view
But there are some trends
― We are noticing more and larger breaches
― Breaches and data leaks are making the news ndash there is public media and regulatory interest
― The criminals are getting smarter
The threat is NOT new
lsquoCyberrsquo is a convenient label for information risk in the 21st Century
Our view ndash how do we respond
Pursue a strategy of defence-in-depth
Avoid our historic fixation on lsquothe perimeterrsquo This is not a purely technical problem
The solution is not necessarily a technical one Technical controls remain key
The weakest links are likely to beYour people
Your third party suppliers amp partners
And
So
But
Summary
― lsquoCyber threatrsquo is nothing new ndash in our view
― But it is serious
― Target defence in depth
― Staff contractors and suppliers are now your weakest link
― Get back to basics on information governance
― Apply technology solutions intelligently to support amp enable
History quiz
History quiz
Just how successful was it
Not very successful at
all
Perception versus reality
We think we are building thishellip
But we have potentially built thishellip
Case studies ndash poor practices
― October 2015
― Cause Simple (and old) technical exploit (executed by a 15 year-old boy)
― Immediate result 150000 customer records stolen (0ver 15000 full bank details)
― Incidentcrisis management extremely poor― CEO unprepared amp poorly briefed
― Scope of breach massively over-estimated
― Response ill-judged (500000 customers given lsquofree upgradersquo)
― Impacts― REPUTATION ndash Lost 95000 customers in year 1
― FINANCIAL ndash Current financial cost estimated at pound60m
― REGULATORY ndash Formally sanctioned by ICO (Fined 400k)
Case studies ndash insider threat
― December 2014
― Cause Malicious software deployed via lsquophishingrsquo attack used to obtain IDs and passwords
― Politically motivated
― Immediate result 100 terabytes of data stolen (the whole of the ldquocoukrdquo domain is only 68 Tb)
― Data included entire movies financials staff data salary data email records
― Data posted on the internet for download
― Impacts― REPUTATION ndash Deputy CEO forced to resign due to damaging email content
― FINANCIAL ndash Current financial cost estimated at $15m (impact reduced byinsurances and managed legal response)
Case studies ndash third party
― Spring 2014
― Cause Security compromise at third party AirCon and Ventilation contractor ndash access gained to Targetrsquos network
― Immediate result 70m customer records and 40m credit card records harvested across 1797 stores over extended period
― Data downloaded by criminals in Russia
― Impacts― FINANCIAL ndash Current financial cost to Target estimated at $61m (Industry-wide costs estimated at
$200m)
Get back to basics
― Itrsquos not just about the enemy at the gates (ie the perimeter)
― The perimeter is hard to define these days
― We cannot rely solely upon prevention ndash our detection and response capability must improve
We need to take the threat seriously
Get back to basics
― Technology and tools of the highest quality can be undermined by weaknesses in basic security practices
― Or by a flawed corporate culture
― CyberInformation risk is a problem for the entire business to resolve ndash not just IT
― Todayrsquos cyber criminals recognise this and exploit it by adopting a range of approaches which step away from the purely technical and exploit weaknesses in the way that organisations manage control and interact with their information
― A full frontal assault is unlikely to be profitable ndash an attacker will target compromise from the inside And they can be very patient
Get back to basics
Fundamentally addressing the Cyber Threat means going back to basics looking again at your organisation and the controls you already have
― Understanding your people ndash what threats do they pose After all there is no patch for stupidity
― Understanding your organisationrsquos information where it is and how it is used
― Identifying the main risks to physical and information assets
― Ensuring that the right measures are adopted to mitigate risk to within acceptable levels ndash balancing cost versus risk
Get back to basics ndash governance foundations
Unless the foundations of good information and security governance are working well any investment in security technology will most likely be wasted Fundamental areas for focus are
― Staff security training and awareness
― Robust oversight and management of third party suppliers
― Software amp hardware patch management
― Intelligent management amp admin of user access
― Clear policies on security acceptable system use and social media
People Process Tools In that order
Get back to basics ndash making it work
For effective and sustainable governance
― Setting maintaining and continuing to evolve the ldquotone at the toprdquo
― Monitoring of information risk management by the Board of Directors
― Ongoing practical and relevant awareness training
― Independent assurance
― Regular risk-based security testing Inside and outside the perimeter
What happens if a security breach occurs
― If a security breach occurs organisations that follow clearly documented plans to reduce the impact of the breach have a much better chance of staying out of the law courts and avoiding punishment
― Most organisations unfortunately dont have good systems for actually managing the problem If a breach occurs the law is really concerned with your behaviour at that point in time You cant unravel the past and pretend the breach didnt occur its what you do from that point on that will determine your culpability
― On top of having well documented systems and procedures organisations need to have clearly defined actions for dealing with a breach and limiting the damage to those affected This is likely to involve multiple disciplines that could include information security specialists IT resources a PR agency legal advice and credit reporting services
― If you adopt an honourable stance from the outset doing the right thing at the right time then your legal team is in a very strong position to defend you to the regulator arguing that youre not the kind of organisation that has the profile that requires all of the effect of the law and therefore the punishment
How to protect organisations from security breaches
― Take some basic steps to build a protective shieldrdquo most notably― Build a single unified security policy
― Ensure information security forms part of any contract initiation
― Make security part of the process when any project is initiated
― Employee adequacy ndash ensure you have processes for handling new employees changes of job and for employees exiting the company show that they were made aware of security requirements
― Third-party assurance ndash have processes in place to guard information held by third parties
― Culture ndash have a managerial structure in place that demonstrates a chain of responsibility for handling security and reporting errors― lsquoTone at the toprsquo
― Shared ownership of good practices
― Openness amp transparency ndash continuous improvement
State of the Nation ndash addressing Cyber RiskFour golden rules our plan is founded upon
Over 75 of attacks exploit failures to put in place basic controls
Get the basics right
You have to prioritize where you spend your money to defend yourself so build a fortress
around your most critical asset
Look after the crown jewels
Invest in understanding who might attack you why and how so that you can anticipate the most likely scenarios and defend those assets that are
most likely to get attacked
Do your homework on your enemies
Security and resilience can affect nearly every part of an organization Strategies to protect IT
security and business resiliency should align with an organizationrsquos broader goals ndash from protecting intellectual property to maximizing productivity to
finding new ways to delight customers
Treat cyber risk as an opportunity to look closely at your business
Solving the big lsquoBoard reporting problemrsquo in cyberJon Hawes Security Intelligence Strategist Panaseer
Cyber security insuranceGraeme Newman Chief Innovation OfficerCFC
Tackling the insider threatGarath Lauder Director CyberseerTed Plumis Vice President of Channels and Corporate Development Exabeam
Social engineering the art of the conRob Shapland Penetration Testing Team Manager First Base Technologies
Cryptography Basics Dr David Weston Lecturer in Computer Science and Information SystemsBirkbeck University of London
Tokens Honeypots Idenitfication Authorisation Services Ray Dalgarno Director CYBERCAST
Trust with ldquoTHISrdquo
TokensHoneypots
Identification Authorisation ServicesThe Confluence
Agenda
Warfare
Attack Surface Attribution Residency Deniability
Honeypots amp Tokens
Identification and Authorisation
Conclusion
WarfareSecurity through obscurity ndash
the reason the armed forces adopt camouflage
NHS Cyber Attacks ndash The Telegraph 1st Nov 2016
ldquohelliphacking is no longer the stuff of spy thrillers and action movies but a clear and present threathelliprdquo
ldquohellipBen Gummer minister for Cabinet says that large quantities of sensitive data held by the NHS and the Government is being targeted by hackershelliprdquo
ldquohellipMinisters will also unveil a Cyber Security Research Institute a virtual collection of UK universities which will work towards making passwords obsoletehelliprdquo
Cyber Fraud
ldquohellipOnline fraudsters stole pound109bn in the UK last yearhelliprdquo
ldquohellip39 (of respondents) questioned by ldquoGet Safe Onlinerdquo said they were a victim of cybercrime but did not report ithelliprdquo
ldquohellip53 received phishing messageshelliprdquo
Extract from The Telegraph 20th October 2016
Cyber Crime is a War ZoneldquoRouse him and learn the principle of his activity or inactivity Force him to reveal himself so as to find out his vulnerable spotsrdquoldquoIf you know the enemy and know yourself you need not fear the results of a hundred battlesrdquo
- Sun Tzu Military General Strategist amp Philosopher 5th Century BC ChinaDeception is a powerful effective but under utilised tool ndash (at least by defenders)
Full range of ldquoeffectsrdquo on adversaries possible through deception
Effects Attacker Defender
Fail to observe
Prevent the defender from detecting the attack Prevent the attacker from discovering their target
Reveal
Trick the defender into providing access Trick the attacker into revealing their presence
Waste Time
Focus the defenderrsquos attention on the wrong aspects of the incident
Focus the attackerrsquos efforts on the wrong target
Deception Effects - Attacker amp Defender
Operation Mincemeat - 1943
Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
Operation Mincemeat - 1943Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
This was accomplished by persuading the Germans that they had by accident intercepted top secret documents giving details of Allied war plans
Attack Surface Attribution Residency
DeniabilityFrom the living room to the boardroom
Attack Surface
From ordinary consumers to a single-office business through the regulatory bodies to the national and global giants
The environment dictates the approach ndash no ldquoSilver Bulletrdquo
Layered security ndash combining multiple mitigating security controls to cost effectively protect resources amp data
Attack AttributionAt which point in the attack do you realise that you have been hacked
TalkTalk DNC Yahoo
There are very few ldquosmoking gunsrdquo visible
Attacks that often begin with broadly targeted phishing that can introduce amp run new binaries on victims networks amp that connect to random internal hosts using exfiltrated credentials can still remain hidden for a year
Examples of Global IT Vendorsrsquo Vulnerabilities
Microsoft Microsoft August (2016) Patch Tuesday included five updates rated
critical out of a total of nine bringing the number of patches for the year-to-date at 103
SAP There are vulnerabilities in almost every SAP module CRM EP and SRM
are leaders among them ERPScan SAP Cyber Threat Report2016
Oracle MICROS (and others) In total more than one million PoS terminals around the world could be
at risk should the attacks prove to have been deeper than the companies are currently publicly admitting
Computing Aug
Dwell TimeResidency
Mandiant reported that attackers on average lurked on a network for 205 days before being discoveredsup1
Microsoft recently reported they place the number at more than 200 days to detect a security breach and 80 days to contain itsup2
1 httpswww2fireeyecomrsfireyeimagesrpt-m-trends-2015pdf2 httpsblogswindowscomwindowsexperience20160301announcing-windows-defender-advanced-threat-protection
Plausible Deniability amp Malware Intrusion
Plausible deniability refers to circumstances where a denial of responsibility or knowledge of wrong doing cannot be proved as true or untrue due to a lack of evidence proving the allegation
It is a basic law for the cheat and the deceiver Be able to offer up an excuse that cannot be disproved easily and that makes sense for the situation
Trickle-down Effects
Increasing rapidity of car-trickle-down yester-yearsrsquo top end car innovations eventually migrate through the models becoming standard options in lower-priced vehicles
This pattern of innovation holds true in virtually every field including cyber- security
Malware as a Service (MaaS) ndash moving from the heavily funded specialist cyber experts down into the mass market
MaaS now commonly available at very low cost through the darknet and sites such TOR I2p
Honeypots amp TokensEvolution Mimicry
Honeypots
Venus Flytrap in Action (triggered honeypot)
Trojan Horse (passive honeypot) Greeks built used to enter the city of Troy and win the 10 year Trojan war - 4th Century story
Cartography A trap street (passive honeypot) is a fictitious entry in the form of a misrepresented street for the purpose of trapping potential copyright violators
Tempting - moneypot
All minehelliphelliphellip
Ooops
Honeypot Principle
Focus on detecting threats Here wersquod like to know immediately someone has broken into the network
and in places they shouldnrsquot be
Ensure the honeypot looks appealing to the attacker The honeypot must look legitimate amp enticing
In this attack scenario the defender has particular advantage Once attackers initially land inside your internal network theyrsquore at a
disadvantage They donrsquot know the lay of the land and they need to explore it (reconnaissance) while remaining hidden
Defence through Deception
Deception is a highly effective solution for protecting environments used to confuse delay and redirect the enemy
Lured to the Canary Honeypot the attacker will be tricked into engaging with that device and believe they are being successful in their attack
Canary ndash Today and Tomorrow
Canary - great for remote sites but what about our VM data centres
What about integration with established enterprise monitoring frameworks such as Openview CA or Microsoft SCOM
Console management limit on the number of deployed Canaries
Are ldquoCanarytokensrdquo part of tomorrowrsquos planning
Identification amp Authorisation
A new way forward
TokensTokens - In general a token is an object that represents something else such as another object (either physical or virtual) or an abstract concept In computer systems there are a number of types of tokens both hardware and software
In human terms a token of trust can exist between two parties with such levels of trust reinforced through personal introductions with other partiesA token generation amp management platform designed specifically for high security multi-services in public and private clouds
greatly enhances trustworthy information handling
Identification with Passwords Any directory service or managementplatform holding passwords becomes atarget by the attacker for credentialsrsquo theft
Passwords are fundamentally flawed Often easy to guess Are reused across different services Are written down or stored or shared Can be intercepted Are expensive to maintain 29 of all cybercrime is from stolen
passwords
Identification WITHOUT Password
The Problem The password has outlived itrsquos usefulness
Secure Cloudlinkrsquos Response Patented and highly secure tokenised message management
solution assures password redundancy User credentials are not transmitted stored or replicated Secure digital services - a snap for the user
Randomised encrypted key generation ndashno consistent key to be stolen
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
wwwtalosintelligencecomblogtalosintelcom
talossecurity
martinleciscocom
Incident response what to do in the event of a cyber breachMark Child Managing Director andNeil May Senior Manager Technology Risk ManagementGLE Consulting Limited
What To Do In The Event of A Cyber Breach
Incident Response
ICSA THE GOVERNANCE INSTITUTE 4TH NOVEMBER 2016
You might be feeling a bit like thishellip
Rabbit in the headlights
Or depending on your boardhellip
Possibly like this
The big question is hellip
Is this really an entirely new threat that we are facing
Our view
But there are some trends
― We are noticing more and larger breaches
― Breaches and data leaks are making the news ndash there is public media and regulatory interest
― The criminals are getting smarter
The threat is NOT new
lsquoCyberrsquo is a convenient label for information risk in the 21st Century
Our view ndash how do we respond
Pursue a strategy of defence-in-depth
Avoid our historic fixation on lsquothe perimeterrsquo This is not a purely technical problem
The solution is not necessarily a technical one Technical controls remain key
The weakest links are likely to beYour people
Your third party suppliers amp partners
And
So
But
Summary
― lsquoCyber threatrsquo is nothing new ndash in our view
― But it is serious
― Target defence in depth
― Staff contractors and suppliers are now your weakest link
― Get back to basics on information governance
― Apply technology solutions intelligently to support amp enable
History quiz
History quiz
Just how successful was it
Not very successful at
all
Perception versus reality
We think we are building thishellip
But we have potentially built thishellip
Case studies ndash poor practices
― October 2015
― Cause Simple (and old) technical exploit (executed by a 15 year-old boy)
― Immediate result 150000 customer records stolen (0ver 15000 full bank details)
― Incidentcrisis management extremely poor― CEO unprepared amp poorly briefed
― Scope of breach massively over-estimated
― Response ill-judged (500000 customers given lsquofree upgradersquo)
― Impacts― REPUTATION ndash Lost 95000 customers in year 1
― FINANCIAL ndash Current financial cost estimated at pound60m
― REGULATORY ndash Formally sanctioned by ICO (Fined 400k)
Case studies ndash insider threat
― December 2014
― Cause Malicious software deployed via lsquophishingrsquo attack used to obtain IDs and passwords
― Politically motivated
― Immediate result 100 terabytes of data stolen (the whole of the ldquocoukrdquo domain is only 68 Tb)
― Data included entire movies financials staff data salary data email records
― Data posted on the internet for download
― Impacts― REPUTATION ndash Deputy CEO forced to resign due to damaging email content
― FINANCIAL ndash Current financial cost estimated at $15m (impact reduced byinsurances and managed legal response)
Case studies ndash third party
― Spring 2014
― Cause Security compromise at third party AirCon and Ventilation contractor ndash access gained to Targetrsquos network
― Immediate result 70m customer records and 40m credit card records harvested across 1797 stores over extended period
― Data downloaded by criminals in Russia
― Impacts― FINANCIAL ndash Current financial cost to Target estimated at $61m (Industry-wide costs estimated at
$200m)
Get back to basics
― Itrsquos not just about the enemy at the gates (ie the perimeter)
― The perimeter is hard to define these days
― We cannot rely solely upon prevention ndash our detection and response capability must improve
We need to take the threat seriously
Get back to basics
― Technology and tools of the highest quality can be undermined by weaknesses in basic security practices
― Or by a flawed corporate culture
― CyberInformation risk is a problem for the entire business to resolve ndash not just IT
― Todayrsquos cyber criminals recognise this and exploit it by adopting a range of approaches which step away from the purely technical and exploit weaknesses in the way that organisations manage control and interact with their information
― A full frontal assault is unlikely to be profitable ndash an attacker will target compromise from the inside And they can be very patient
Get back to basics
Fundamentally addressing the Cyber Threat means going back to basics looking again at your organisation and the controls you already have
― Understanding your people ndash what threats do they pose After all there is no patch for stupidity
― Understanding your organisationrsquos information where it is and how it is used
― Identifying the main risks to physical and information assets
― Ensuring that the right measures are adopted to mitigate risk to within acceptable levels ndash balancing cost versus risk
Get back to basics ndash governance foundations
Unless the foundations of good information and security governance are working well any investment in security technology will most likely be wasted Fundamental areas for focus are
― Staff security training and awareness
― Robust oversight and management of third party suppliers
― Software amp hardware patch management
― Intelligent management amp admin of user access
― Clear policies on security acceptable system use and social media
People Process Tools In that order
Get back to basics ndash making it work
For effective and sustainable governance
― Setting maintaining and continuing to evolve the ldquotone at the toprdquo
― Monitoring of information risk management by the Board of Directors
― Ongoing practical and relevant awareness training
― Independent assurance
― Regular risk-based security testing Inside and outside the perimeter
What happens if a security breach occurs
― If a security breach occurs organisations that follow clearly documented plans to reduce the impact of the breach have a much better chance of staying out of the law courts and avoiding punishment
― Most organisations unfortunately dont have good systems for actually managing the problem If a breach occurs the law is really concerned with your behaviour at that point in time You cant unravel the past and pretend the breach didnt occur its what you do from that point on that will determine your culpability
― On top of having well documented systems and procedures organisations need to have clearly defined actions for dealing with a breach and limiting the damage to those affected This is likely to involve multiple disciplines that could include information security specialists IT resources a PR agency legal advice and credit reporting services
― If you adopt an honourable stance from the outset doing the right thing at the right time then your legal team is in a very strong position to defend you to the regulator arguing that youre not the kind of organisation that has the profile that requires all of the effect of the law and therefore the punishment
How to protect organisations from security breaches
― Take some basic steps to build a protective shieldrdquo most notably― Build a single unified security policy
― Ensure information security forms part of any contract initiation
― Make security part of the process when any project is initiated
― Employee adequacy ndash ensure you have processes for handling new employees changes of job and for employees exiting the company show that they were made aware of security requirements
― Third-party assurance ndash have processes in place to guard information held by third parties
― Culture ndash have a managerial structure in place that demonstrates a chain of responsibility for handling security and reporting errors― lsquoTone at the toprsquo
― Shared ownership of good practices
― Openness amp transparency ndash continuous improvement
State of the Nation ndash addressing Cyber RiskFour golden rules our plan is founded upon
Over 75 of attacks exploit failures to put in place basic controls
Get the basics right
You have to prioritize where you spend your money to defend yourself so build a fortress
around your most critical asset
Look after the crown jewels
Invest in understanding who might attack you why and how so that you can anticipate the most likely scenarios and defend those assets that are
most likely to get attacked
Do your homework on your enemies
Security and resilience can affect nearly every part of an organization Strategies to protect IT
security and business resiliency should align with an organizationrsquos broader goals ndash from protecting intellectual property to maximizing productivity to
finding new ways to delight customers
Treat cyber risk as an opportunity to look closely at your business
Solving the big lsquoBoard reporting problemrsquo in cyberJon Hawes Security Intelligence Strategist Panaseer
Cyber security insuranceGraeme Newman Chief Innovation OfficerCFC
Tackling the insider threatGarath Lauder Director CyberseerTed Plumis Vice President of Channels and Corporate Development Exabeam
Social engineering the art of the conRob Shapland Penetration Testing Team Manager First Base Technologies
Cryptography Basics Dr David Weston Lecturer in Computer Science and Information SystemsBirkbeck University of London
Tokens Honeypots Idenitfication Authorisation Services Ray Dalgarno Director CYBERCAST
Trust with ldquoTHISrdquo
TokensHoneypots
Identification Authorisation ServicesThe Confluence
Agenda
Warfare
Attack Surface Attribution Residency Deniability
Honeypots amp Tokens
Identification and Authorisation
Conclusion
WarfareSecurity through obscurity ndash
the reason the armed forces adopt camouflage
NHS Cyber Attacks ndash The Telegraph 1st Nov 2016
ldquohelliphacking is no longer the stuff of spy thrillers and action movies but a clear and present threathelliprdquo
ldquohellipBen Gummer minister for Cabinet says that large quantities of sensitive data held by the NHS and the Government is being targeted by hackershelliprdquo
ldquohellipMinisters will also unveil a Cyber Security Research Institute a virtual collection of UK universities which will work towards making passwords obsoletehelliprdquo
Cyber Fraud
ldquohellipOnline fraudsters stole pound109bn in the UK last yearhelliprdquo
ldquohellip39 (of respondents) questioned by ldquoGet Safe Onlinerdquo said they were a victim of cybercrime but did not report ithelliprdquo
ldquohellip53 received phishing messageshelliprdquo
Extract from The Telegraph 20th October 2016
Cyber Crime is a War ZoneldquoRouse him and learn the principle of his activity or inactivity Force him to reveal himself so as to find out his vulnerable spotsrdquoldquoIf you know the enemy and know yourself you need not fear the results of a hundred battlesrdquo
- Sun Tzu Military General Strategist amp Philosopher 5th Century BC ChinaDeception is a powerful effective but under utilised tool ndash (at least by defenders)
Full range of ldquoeffectsrdquo on adversaries possible through deception
Effects Attacker Defender
Fail to observe
Prevent the defender from detecting the attack Prevent the attacker from discovering their target
Reveal
Trick the defender into providing access Trick the attacker into revealing their presence
Waste Time
Focus the defenderrsquos attention on the wrong aspects of the incident
Focus the attackerrsquos efforts on the wrong target
Deception Effects - Attacker amp Defender
Operation Mincemeat - 1943
Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
Operation Mincemeat - 1943Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
This was accomplished by persuading the Germans that they had by accident intercepted top secret documents giving details of Allied war plans
Attack Surface Attribution Residency
DeniabilityFrom the living room to the boardroom
Attack Surface
From ordinary consumers to a single-office business through the regulatory bodies to the national and global giants
The environment dictates the approach ndash no ldquoSilver Bulletrdquo
Layered security ndash combining multiple mitigating security controls to cost effectively protect resources amp data
Attack AttributionAt which point in the attack do you realise that you have been hacked
TalkTalk DNC Yahoo
There are very few ldquosmoking gunsrdquo visible
Attacks that often begin with broadly targeted phishing that can introduce amp run new binaries on victims networks amp that connect to random internal hosts using exfiltrated credentials can still remain hidden for a year
Examples of Global IT Vendorsrsquo Vulnerabilities
Microsoft Microsoft August (2016) Patch Tuesday included five updates rated
critical out of a total of nine bringing the number of patches for the year-to-date at 103
SAP There are vulnerabilities in almost every SAP module CRM EP and SRM
are leaders among them ERPScan SAP Cyber Threat Report2016
Oracle MICROS (and others) In total more than one million PoS terminals around the world could be
at risk should the attacks prove to have been deeper than the companies are currently publicly admitting
Computing Aug
Dwell TimeResidency
Mandiant reported that attackers on average lurked on a network for 205 days before being discoveredsup1
Microsoft recently reported they place the number at more than 200 days to detect a security breach and 80 days to contain itsup2
1 httpswww2fireeyecomrsfireyeimagesrpt-m-trends-2015pdf2 httpsblogswindowscomwindowsexperience20160301announcing-windows-defender-advanced-threat-protection
Plausible Deniability amp Malware Intrusion
Plausible deniability refers to circumstances where a denial of responsibility or knowledge of wrong doing cannot be proved as true or untrue due to a lack of evidence proving the allegation
It is a basic law for the cheat and the deceiver Be able to offer up an excuse that cannot be disproved easily and that makes sense for the situation
Trickle-down Effects
Increasing rapidity of car-trickle-down yester-yearsrsquo top end car innovations eventually migrate through the models becoming standard options in lower-priced vehicles
This pattern of innovation holds true in virtually every field including cyber- security
Malware as a Service (MaaS) ndash moving from the heavily funded specialist cyber experts down into the mass market
MaaS now commonly available at very low cost through the darknet and sites such TOR I2p
Honeypots amp TokensEvolution Mimicry
Honeypots
Venus Flytrap in Action (triggered honeypot)
Trojan Horse (passive honeypot) Greeks built used to enter the city of Troy and win the 10 year Trojan war - 4th Century story
Cartography A trap street (passive honeypot) is a fictitious entry in the form of a misrepresented street for the purpose of trapping potential copyright violators
Tempting - moneypot
All minehelliphelliphellip
Ooops
Honeypot Principle
Focus on detecting threats Here wersquod like to know immediately someone has broken into the network
and in places they shouldnrsquot be
Ensure the honeypot looks appealing to the attacker The honeypot must look legitimate amp enticing
In this attack scenario the defender has particular advantage Once attackers initially land inside your internal network theyrsquore at a
disadvantage They donrsquot know the lay of the land and they need to explore it (reconnaissance) while remaining hidden
Defence through Deception
Deception is a highly effective solution for protecting environments used to confuse delay and redirect the enemy
Lured to the Canary Honeypot the attacker will be tricked into engaging with that device and believe they are being successful in their attack
Canary ndash Today and Tomorrow
Canary - great for remote sites but what about our VM data centres
What about integration with established enterprise monitoring frameworks such as Openview CA or Microsoft SCOM
Console management limit on the number of deployed Canaries
Are ldquoCanarytokensrdquo part of tomorrowrsquos planning
Identification amp Authorisation
A new way forward
TokensTokens - In general a token is an object that represents something else such as another object (either physical or virtual) or an abstract concept In computer systems there are a number of types of tokens both hardware and software
In human terms a token of trust can exist between two parties with such levels of trust reinforced through personal introductions with other partiesA token generation amp management platform designed specifically for high security multi-services in public and private clouds
greatly enhances trustworthy information handling
Identification with Passwords Any directory service or managementplatform holding passwords becomes atarget by the attacker for credentialsrsquo theft
Passwords are fundamentally flawed Often easy to guess Are reused across different services Are written down or stored or shared Can be intercepted Are expensive to maintain 29 of all cybercrime is from stolen
passwords
Identification WITHOUT Password
The Problem The password has outlived itrsquos usefulness
Secure Cloudlinkrsquos Response Patented and highly secure tokenised message management
solution assures password redundancy User credentials are not transmitted stored or replicated Secure digital services - a snap for the user
Randomised encrypted key generation ndashno consistent key to be stolen
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
Incident response what to do in the event of a cyber breachMark Child Managing Director andNeil May Senior Manager Technology Risk ManagementGLE Consulting Limited
What To Do In The Event of A Cyber Breach
Incident Response
ICSA THE GOVERNANCE INSTITUTE 4TH NOVEMBER 2016
You might be feeling a bit like thishellip
Rabbit in the headlights
Or depending on your boardhellip
Possibly like this
The big question is hellip
Is this really an entirely new threat that we are facing
Our view
But there are some trends
― We are noticing more and larger breaches
― Breaches and data leaks are making the news ndash there is public media and regulatory interest
― The criminals are getting smarter
The threat is NOT new
lsquoCyberrsquo is a convenient label for information risk in the 21st Century
Our view ndash how do we respond
Pursue a strategy of defence-in-depth
Avoid our historic fixation on lsquothe perimeterrsquo This is not a purely technical problem
The solution is not necessarily a technical one Technical controls remain key
The weakest links are likely to beYour people
Your third party suppliers amp partners
And
So
But
Summary
― lsquoCyber threatrsquo is nothing new ndash in our view
― But it is serious
― Target defence in depth
― Staff contractors and suppliers are now your weakest link
― Get back to basics on information governance
― Apply technology solutions intelligently to support amp enable
History quiz
History quiz
Just how successful was it
Not very successful at
all
Perception versus reality
We think we are building thishellip
But we have potentially built thishellip
Case studies ndash poor practices
― October 2015
― Cause Simple (and old) technical exploit (executed by a 15 year-old boy)
― Immediate result 150000 customer records stolen (0ver 15000 full bank details)
― Incidentcrisis management extremely poor― CEO unprepared amp poorly briefed
― Scope of breach massively over-estimated
― Response ill-judged (500000 customers given lsquofree upgradersquo)
― Impacts― REPUTATION ndash Lost 95000 customers in year 1
― FINANCIAL ndash Current financial cost estimated at pound60m
― REGULATORY ndash Formally sanctioned by ICO (Fined 400k)
Case studies ndash insider threat
― December 2014
― Cause Malicious software deployed via lsquophishingrsquo attack used to obtain IDs and passwords
― Politically motivated
― Immediate result 100 terabytes of data stolen (the whole of the ldquocoukrdquo domain is only 68 Tb)
― Data included entire movies financials staff data salary data email records
― Data posted on the internet for download
― Impacts― REPUTATION ndash Deputy CEO forced to resign due to damaging email content
― FINANCIAL ndash Current financial cost estimated at $15m (impact reduced byinsurances and managed legal response)
Case studies ndash third party
― Spring 2014
― Cause Security compromise at third party AirCon and Ventilation contractor ndash access gained to Targetrsquos network
― Immediate result 70m customer records and 40m credit card records harvested across 1797 stores over extended period
― Data downloaded by criminals in Russia
― Impacts― FINANCIAL ndash Current financial cost to Target estimated at $61m (Industry-wide costs estimated at
$200m)
Get back to basics
― Itrsquos not just about the enemy at the gates (ie the perimeter)
― The perimeter is hard to define these days
― We cannot rely solely upon prevention ndash our detection and response capability must improve
We need to take the threat seriously
Get back to basics
― Technology and tools of the highest quality can be undermined by weaknesses in basic security practices
― Or by a flawed corporate culture
― CyberInformation risk is a problem for the entire business to resolve ndash not just IT
― Todayrsquos cyber criminals recognise this and exploit it by adopting a range of approaches which step away from the purely technical and exploit weaknesses in the way that organisations manage control and interact with their information
― A full frontal assault is unlikely to be profitable ndash an attacker will target compromise from the inside And they can be very patient
Get back to basics
Fundamentally addressing the Cyber Threat means going back to basics looking again at your organisation and the controls you already have
― Understanding your people ndash what threats do they pose After all there is no patch for stupidity
― Understanding your organisationrsquos information where it is and how it is used
― Identifying the main risks to physical and information assets
― Ensuring that the right measures are adopted to mitigate risk to within acceptable levels ndash balancing cost versus risk
Get back to basics ndash governance foundations
Unless the foundations of good information and security governance are working well any investment in security technology will most likely be wasted Fundamental areas for focus are
― Staff security training and awareness
― Robust oversight and management of third party suppliers
― Software amp hardware patch management
― Intelligent management amp admin of user access
― Clear policies on security acceptable system use and social media
People Process Tools In that order
Get back to basics ndash making it work
For effective and sustainable governance
― Setting maintaining and continuing to evolve the ldquotone at the toprdquo
― Monitoring of information risk management by the Board of Directors
― Ongoing practical and relevant awareness training
― Independent assurance
― Regular risk-based security testing Inside and outside the perimeter
What happens if a security breach occurs
― If a security breach occurs organisations that follow clearly documented plans to reduce the impact of the breach have a much better chance of staying out of the law courts and avoiding punishment
― Most organisations unfortunately dont have good systems for actually managing the problem If a breach occurs the law is really concerned with your behaviour at that point in time You cant unravel the past and pretend the breach didnt occur its what you do from that point on that will determine your culpability
― On top of having well documented systems and procedures organisations need to have clearly defined actions for dealing with a breach and limiting the damage to those affected This is likely to involve multiple disciplines that could include information security specialists IT resources a PR agency legal advice and credit reporting services
― If you adopt an honourable stance from the outset doing the right thing at the right time then your legal team is in a very strong position to defend you to the regulator arguing that youre not the kind of organisation that has the profile that requires all of the effect of the law and therefore the punishment
How to protect organisations from security breaches
― Take some basic steps to build a protective shieldrdquo most notably― Build a single unified security policy
― Ensure information security forms part of any contract initiation
― Make security part of the process when any project is initiated
― Employee adequacy ndash ensure you have processes for handling new employees changes of job and for employees exiting the company show that they were made aware of security requirements
― Third-party assurance ndash have processes in place to guard information held by third parties
― Culture ndash have a managerial structure in place that demonstrates a chain of responsibility for handling security and reporting errors― lsquoTone at the toprsquo
― Shared ownership of good practices
― Openness amp transparency ndash continuous improvement
State of the Nation ndash addressing Cyber RiskFour golden rules our plan is founded upon
Over 75 of attacks exploit failures to put in place basic controls
Get the basics right
You have to prioritize where you spend your money to defend yourself so build a fortress
around your most critical asset
Look after the crown jewels
Invest in understanding who might attack you why and how so that you can anticipate the most likely scenarios and defend those assets that are
most likely to get attacked
Do your homework on your enemies
Security and resilience can affect nearly every part of an organization Strategies to protect IT
security and business resiliency should align with an organizationrsquos broader goals ndash from protecting intellectual property to maximizing productivity to
finding new ways to delight customers
Treat cyber risk as an opportunity to look closely at your business
Solving the big lsquoBoard reporting problemrsquo in cyberJon Hawes Security Intelligence Strategist Panaseer
Cyber security insuranceGraeme Newman Chief Innovation OfficerCFC
Tackling the insider threatGarath Lauder Director CyberseerTed Plumis Vice President of Channels and Corporate Development Exabeam
Social engineering the art of the conRob Shapland Penetration Testing Team Manager First Base Technologies
Cryptography Basics Dr David Weston Lecturer in Computer Science and Information SystemsBirkbeck University of London
Tokens Honeypots Idenitfication Authorisation Services Ray Dalgarno Director CYBERCAST
Trust with ldquoTHISrdquo
TokensHoneypots
Identification Authorisation ServicesThe Confluence
Agenda
Warfare
Attack Surface Attribution Residency Deniability
Honeypots amp Tokens
Identification and Authorisation
Conclusion
WarfareSecurity through obscurity ndash
the reason the armed forces adopt camouflage
NHS Cyber Attacks ndash The Telegraph 1st Nov 2016
ldquohelliphacking is no longer the stuff of spy thrillers and action movies but a clear and present threathelliprdquo
ldquohellipBen Gummer minister for Cabinet says that large quantities of sensitive data held by the NHS and the Government is being targeted by hackershelliprdquo
ldquohellipMinisters will also unveil a Cyber Security Research Institute a virtual collection of UK universities which will work towards making passwords obsoletehelliprdquo
Cyber Fraud
ldquohellipOnline fraudsters stole pound109bn in the UK last yearhelliprdquo
ldquohellip39 (of respondents) questioned by ldquoGet Safe Onlinerdquo said they were a victim of cybercrime but did not report ithelliprdquo
ldquohellip53 received phishing messageshelliprdquo
Extract from The Telegraph 20th October 2016
Cyber Crime is a War ZoneldquoRouse him and learn the principle of his activity or inactivity Force him to reveal himself so as to find out his vulnerable spotsrdquoldquoIf you know the enemy and know yourself you need not fear the results of a hundred battlesrdquo
- Sun Tzu Military General Strategist amp Philosopher 5th Century BC ChinaDeception is a powerful effective but under utilised tool ndash (at least by defenders)
Full range of ldquoeffectsrdquo on adversaries possible through deception
Effects Attacker Defender
Fail to observe
Prevent the defender from detecting the attack Prevent the attacker from discovering their target
Reveal
Trick the defender into providing access Trick the attacker into revealing their presence
Waste Time
Focus the defenderrsquos attention on the wrong aspects of the incident
Focus the attackerrsquos efforts on the wrong target
Deception Effects - Attacker amp Defender
Operation Mincemeat - 1943
Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
Operation Mincemeat - 1943Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
This was accomplished by persuading the Germans that they had by accident intercepted top secret documents giving details of Allied war plans
Attack Surface Attribution Residency
DeniabilityFrom the living room to the boardroom
Attack Surface
From ordinary consumers to a single-office business through the regulatory bodies to the national and global giants
The environment dictates the approach ndash no ldquoSilver Bulletrdquo
Layered security ndash combining multiple mitigating security controls to cost effectively protect resources amp data
Attack AttributionAt which point in the attack do you realise that you have been hacked
TalkTalk DNC Yahoo
There are very few ldquosmoking gunsrdquo visible
Attacks that often begin with broadly targeted phishing that can introduce amp run new binaries on victims networks amp that connect to random internal hosts using exfiltrated credentials can still remain hidden for a year
Examples of Global IT Vendorsrsquo Vulnerabilities
Microsoft Microsoft August (2016) Patch Tuesday included five updates rated
critical out of a total of nine bringing the number of patches for the year-to-date at 103
SAP There are vulnerabilities in almost every SAP module CRM EP and SRM
are leaders among them ERPScan SAP Cyber Threat Report2016
Oracle MICROS (and others) In total more than one million PoS terminals around the world could be
at risk should the attacks prove to have been deeper than the companies are currently publicly admitting
Computing Aug
Dwell TimeResidency
Mandiant reported that attackers on average lurked on a network for 205 days before being discoveredsup1
Microsoft recently reported they place the number at more than 200 days to detect a security breach and 80 days to contain itsup2
1 httpswww2fireeyecomrsfireyeimagesrpt-m-trends-2015pdf2 httpsblogswindowscomwindowsexperience20160301announcing-windows-defender-advanced-threat-protection
Plausible Deniability amp Malware Intrusion
Plausible deniability refers to circumstances where a denial of responsibility or knowledge of wrong doing cannot be proved as true or untrue due to a lack of evidence proving the allegation
It is a basic law for the cheat and the deceiver Be able to offer up an excuse that cannot be disproved easily and that makes sense for the situation
Trickle-down Effects
Increasing rapidity of car-trickle-down yester-yearsrsquo top end car innovations eventually migrate through the models becoming standard options in lower-priced vehicles
This pattern of innovation holds true in virtually every field including cyber- security
Malware as a Service (MaaS) ndash moving from the heavily funded specialist cyber experts down into the mass market
MaaS now commonly available at very low cost through the darknet and sites such TOR I2p
Honeypots amp TokensEvolution Mimicry
Honeypots
Venus Flytrap in Action (triggered honeypot)
Trojan Horse (passive honeypot) Greeks built used to enter the city of Troy and win the 10 year Trojan war - 4th Century story
Cartography A trap street (passive honeypot) is a fictitious entry in the form of a misrepresented street for the purpose of trapping potential copyright violators
Tempting - moneypot
All minehelliphelliphellip
Ooops
Honeypot Principle
Focus on detecting threats Here wersquod like to know immediately someone has broken into the network
and in places they shouldnrsquot be
Ensure the honeypot looks appealing to the attacker The honeypot must look legitimate amp enticing
In this attack scenario the defender has particular advantage Once attackers initially land inside your internal network theyrsquore at a
disadvantage They donrsquot know the lay of the land and they need to explore it (reconnaissance) while remaining hidden
Defence through Deception
Deception is a highly effective solution for protecting environments used to confuse delay and redirect the enemy
Lured to the Canary Honeypot the attacker will be tricked into engaging with that device and believe they are being successful in their attack
Canary ndash Today and Tomorrow
Canary - great for remote sites but what about our VM data centres
What about integration with established enterprise monitoring frameworks such as Openview CA or Microsoft SCOM
Console management limit on the number of deployed Canaries
Are ldquoCanarytokensrdquo part of tomorrowrsquos planning
Identification amp Authorisation
A new way forward
TokensTokens - In general a token is an object that represents something else such as another object (either physical or virtual) or an abstract concept In computer systems there are a number of types of tokens both hardware and software
In human terms a token of trust can exist between two parties with such levels of trust reinforced through personal introductions with other partiesA token generation amp management platform designed specifically for high security multi-services in public and private clouds
greatly enhances trustworthy information handling
Identification with Passwords Any directory service or managementplatform holding passwords becomes atarget by the attacker for credentialsrsquo theft
Passwords are fundamentally flawed Often easy to guess Are reused across different services Are written down or stored or shared Can be intercepted Are expensive to maintain 29 of all cybercrime is from stolen
passwords
Identification WITHOUT Password
The Problem The password has outlived itrsquos usefulness
Secure Cloudlinkrsquos Response Patented and highly secure tokenised message management
solution assures password redundancy User credentials are not transmitted stored or replicated Secure digital services - a snap for the user
Randomised encrypted key generation ndashno consistent key to be stolen
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
What To Do In The Event of A Cyber Breach
Incident Response
ICSA THE GOVERNANCE INSTITUTE 4TH NOVEMBER 2016
You might be feeling a bit like thishellip
Rabbit in the headlights
Or depending on your boardhellip
Possibly like this
The big question is hellip
Is this really an entirely new threat that we are facing
Our view
But there are some trends
― We are noticing more and larger breaches
― Breaches and data leaks are making the news ndash there is public media and regulatory interest
― The criminals are getting smarter
The threat is NOT new
lsquoCyberrsquo is a convenient label for information risk in the 21st Century
Our view ndash how do we respond
Pursue a strategy of defence-in-depth
Avoid our historic fixation on lsquothe perimeterrsquo This is not a purely technical problem
The solution is not necessarily a technical one Technical controls remain key
The weakest links are likely to beYour people
Your third party suppliers amp partners
And
So
But
Summary
― lsquoCyber threatrsquo is nothing new ndash in our view
― But it is serious
― Target defence in depth
― Staff contractors and suppliers are now your weakest link
― Get back to basics on information governance
― Apply technology solutions intelligently to support amp enable
History quiz
History quiz
Just how successful was it
Not very successful at
all
Perception versus reality
We think we are building thishellip
But we have potentially built thishellip
Case studies ndash poor practices
― October 2015
― Cause Simple (and old) technical exploit (executed by a 15 year-old boy)
― Immediate result 150000 customer records stolen (0ver 15000 full bank details)
― Incidentcrisis management extremely poor― CEO unprepared amp poorly briefed
― Scope of breach massively over-estimated
― Response ill-judged (500000 customers given lsquofree upgradersquo)
― Impacts― REPUTATION ndash Lost 95000 customers in year 1
― FINANCIAL ndash Current financial cost estimated at pound60m
― REGULATORY ndash Formally sanctioned by ICO (Fined 400k)
Case studies ndash insider threat
― December 2014
― Cause Malicious software deployed via lsquophishingrsquo attack used to obtain IDs and passwords
― Politically motivated
― Immediate result 100 terabytes of data stolen (the whole of the ldquocoukrdquo domain is only 68 Tb)
― Data included entire movies financials staff data salary data email records
― Data posted on the internet for download
― Impacts― REPUTATION ndash Deputy CEO forced to resign due to damaging email content
― FINANCIAL ndash Current financial cost estimated at $15m (impact reduced byinsurances and managed legal response)
Case studies ndash third party
― Spring 2014
― Cause Security compromise at third party AirCon and Ventilation contractor ndash access gained to Targetrsquos network
― Immediate result 70m customer records and 40m credit card records harvested across 1797 stores over extended period
― Data downloaded by criminals in Russia
― Impacts― FINANCIAL ndash Current financial cost to Target estimated at $61m (Industry-wide costs estimated at
$200m)
Get back to basics
― Itrsquos not just about the enemy at the gates (ie the perimeter)
― The perimeter is hard to define these days
― We cannot rely solely upon prevention ndash our detection and response capability must improve
We need to take the threat seriously
Get back to basics
― Technology and tools of the highest quality can be undermined by weaknesses in basic security practices
― Or by a flawed corporate culture
― CyberInformation risk is a problem for the entire business to resolve ndash not just IT
― Todayrsquos cyber criminals recognise this and exploit it by adopting a range of approaches which step away from the purely technical and exploit weaknesses in the way that organisations manage control and interact with their information
― A full frontal assault is unlikely to be profitable ndash an attacker will target compromise from the inside And they can be very patient
Get back to basics
Fundamentally addressing the Cyber Threat means going back to basics looking again at your organisation and the controls you already have
― Understanding your people ndash what threats do they pose After all there is no patch for stupidity
― Understanding your organisationrsquos information where it is and how it is used
― Identifying the main risks to physical and information assets
― Ensuring that the right measures are adopted to mitigate risk to within acceptable levels ndash balancing cost versus risk
Get back to basics ndash governance foundations
Unless the foundations of good information and security governance are working well any investment in security technology will most likely be wasted Fundamental areas for focus are
― Staff security training and awareness
― Robust oversight and management of third party suppliers
― Software amp hardware patch management
― Intelligent management amp admin of user access
― Clear policies on security acceptable system use and social media
People Process Tools In that order
Get back to basics ndash making it work
For effective and sustainable governance
― Setting maintaining and continuing to evolve the ldquotone at the toprdquo
― Monitoring of information risk management by the Board of Directors
― Ongoing practical and relevant awareness training
― Independent assurance
― Regular risk-based security testing Inside and outside the perimeter
What happens if a security breach occurs
― If a security breach occurs organisations that follow clearly documented plans to reduce the impact of the breach have a much better chance of staying out of the law courts and avoiding punishment
― Most organisations unfortunately dont have good systems for actually managing the problem If a breach occurs the law is really concerned with your behaviour at that point in time You cant unravel the past and pretend the breach didnt occur its what you do from that point on that will determine your culpability
― On top of having well documented systems and procedures organisations need to have clearly defined actions for dealing with a breach and limiting the damage to those affected This is likely to involve multiple disciplines that could include information security specialists IT resources a PR agency legal advice and credit reporting services
― If you adopt an honourable stance from the outset doing the right thing at the right time then your legal team is in a very strong position to defend you to the regulator arguing that youre not the kind of organisation that has the profile that requires all of the effect of the law and therefore the punishment
How to protect organisations from security breaches
― Take some basic steps to build a protective shieldrdquo most notably― Build a single unified security policy
― Ensure information security forms part of any contract initiation
― Make security part of the process when any project is initiated
― Employee adequacy ndash ensure you have processes for handling new employees changes of job and for employees exiting the company show that they were made aware of security requirements
― Third-party assurance ndash have processes in place to guard information held by third parties
― Culture ndash have a managerial structure in place that demonstrates a chain of responsibility for handling security and reporting errors― lsquoTone at the toprsquo
― Shared ownership of good practices
― Openness amp transparency ndash continuous improvement
State of the Nation ndash addressing Cyber RiskFour golden rules our plan is founded upon
Over 75 of attacks exploit failures to put in place basic controls
Get the basics right
You have to prioritize where you spend your money to defend yourself so build a fortress
around your most critical asset
Look after the crown jewels
Invest in understanding who might attack you why and how so that you can anticipate the most likely scenarios and defend those assets that are
most likely to get attacked
Do your homework on your enemies
Security and resilience can affect nearly every part of an organization Strategies to protect IT
security and business resiliency should align with an organizationrsquos broader goals ndash from protecting intellectual property to maximizing productivity to
finding new ways to delight customers
Treat cyber risk as an opportunity to look closely at your business
Solving the big lsquoBoard reporting problemrsquo in cyberJon Hawes Security Intelligence Strategist Panaseer
Cyber security insuranceGraeme Newman Chief Innovation OfficerCFC
Tackling the insider threatGarath Lauder Director CyberseerTed Plumis Vice President of Channels and Corporate Development Exabeam
Social engineering the art of the conRob Shapland Penetration Testing Team Manager First Base Technologies
Cryptography Basics Dr David Weston Lecturer in Computer Science and Information SystemsBirkbeck University of London
Tokens Honeypots Idenitfication Authorisation Services Ray Dalgarno Director CYBERCAST
Trust with ldquoTHISrdquo
TokensHoneypots
Identification Authorisation ServicesThe Confluence
Agenda
Warfare
Attack Surface Attribution Residency Deniability
Honeypots amp Tokens
Identification and Authorisation
Conclusion
WarfareSecurity through obscurity ndash
the reason the armed forces adopt camouflage
NHS Cyber Attacks ndash The Telegraph 1st Nov 2016
ldquohelliphacking is no longer the stuff of spy thrillers and action movies but a clear and present threathelliprdquo
ldquohellipBen Gummer minister for Cabinet says that large quantities of sensitive data held by the NHS and the Government is being targeted by hackershelliprdquo
ldquohellipMinisters will also unveil a Cyber Security Research Institute a virtual collection of UK universities which will work towards making passwords obsoletehelliprdquo
Cyber Fraud
ldquohellipOnline fraudsters stole pound109bn in the UK last yearhelliprdquo
ldquohellip39 (of respondents) questioned by ldquoGet Safe Onlinerdquo said they were a victim of cybercrime but did not report ithelliprdquo
ldquohellip53 received phishing messageshelliprdquo
Extract from The Telegraph 20th October 2016
Cyber Crime is a War ZoneldquoRouse him and learn the principle of his activity or inactivity Force him to reveal himself so as to find out his vulnerable spotsrdquoldquoIf you know the enemy and know yourself you need not fear the results of a hundred battlesrdquo
- Sun Tzu Military General Strategist amp Philosopher 5th Century BC ChinaDeception is a powerful effective but under utilised tool ndash (at least by defenders)
Full range of ldquoeffectsrdquo on adversaries possible through deception
Effects Attacker Defender
Fail to observe
Prevent the defender from detecting the attack Prevent the attacker from discovering their target
Reveal
Trick the defender into providing access Trick the attacker into revealing their presence
Waste Time
Focus the defenderrsquos attention on the wrong aspects of the incident
Focus the attackerrsquos efforts on the wrong target
Deception Effects - Attacker amp Defender
Operation Mincemeat - 1943
Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
Operation Mincemeat - 1943Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
This was accomplished by persuading the Germans that they had by accident intercepted top secret documents giving details of Allied war plans
Attack Surface Attribution Residency
DeniabilityFrom the living room to the boardroom
Attack Surface
From ordinary consumers to a single-office business through the regulatory bodies to the national and global giants
The environment dictates the approach ndash no ldquoSilver Bulletrdquo
Layered security ndash combining multiple mitigating security controls to cost effectively protect resources amp data
Attack AttributionAt which point in the attack do you realise that you have been hacked
TalkTalk DNC Yahoo
There are very few ldquosmoking gunsrdquo visible
Attacks that often begin with broadly targeted phishing that can introduce amp run new binaries on victims networks amp that connect to random internal hosts using exfiltrated credentials can still remain hidden for a year
Examples of Global IT Vendorsrsquo Vulnerabilities
Microsoft Microsoft August (2016) Patch Tuesday included five updates rated
critical out of a total of nine bringing the number of patches for the year-to-date at 103
SAP There are vulnerabilities in almost every SAP module CRM EP and SRM
are leaders among them ERPScan SAP Cyber Threat Report2016
Oracle MICROS (and others) In total more than one million PoS terminals around the world could be
at risk should the attacks prove to have been deeper than the companies are currently publicly admitting
Computing Aug
Dwell TimeResidency
Mandiant reported that attackers on average lurked on a network for 205 days before being discoveredsup1
Microsoft recently reported they place the number at more than 200 days to detect a security breach and 80 days to contain itsup2
1 httpswww2fireeyecomrsfireyeimagesrpt-m-trends-2015pdf2 httpsblogswindowscomwindowsexperience20160301announcing-windows-defender-advanced-threat-protection
Plausible Deniability amp Malware Intrusion
Plausible deniability refers to circumstances where a denial of responsibility or knowledge of wrong doing cannot be proved as true or untrue due to a lack of evidence proving the allegation
It is a basic law for the cheat and the deceiver Be able to offer up an excuse that cannot be disproved easily and that makes sense for the situation
Trickle-down Effects
Increasing rapidity of car-trickle-down yester-yearsrsquo top end car innovations eventually migrate through the models becoming standard options in lower-priced vehicles
This pattern of innovation holds true in virtually every field including cyber- security
Malware as a Service (MaaS) ndash moving from the heavily funded specialist cyber experts down into the mass market
MaaS now commonly available at very low cost through the darknet and sites such TOR I2p
Honeypots amp TokensEvolution Mimicry
Honeypots
Venus Flytrap in Action (triggered honeypot)
Trojan Horse (passive honeypot) Greeks built used to enter the city of Troy and win the 10 year Trojan war - 4th Century story
Cartography A trap street (passive honeypot) is a fictitious entry in the form of a misrepresented street for the purpose of trapping potential copyright violators
Tempting - moneypot
All minehelliphelliphellip
Ooops
Honeypot Principle
Focus on detecting threats Here wersquod like to know immediately someone has broken into the network
and in places they shouldnrsquot be
Ensure the honeypot looks appealing to the attacker The honeypot must look legitimate amp enticing
In this attack scenario the defender has particular advantage Once attackers initially land inside your internal network theyrsquore at a
disadvantage They donrsquot know the lay of the land and they need to explore it (reconnaissance) while remaining hidden
Defence through Deception
Deception is a highly effective solution for protecting environments used to confuse delay and redirect the enemy
Lured to the Canary Honeypot the attacker will be tricked into engaging with that device and believe they are being successful in their attack
Canary ndash Today and Tomorrow
Canary - great for remote sites but what about our VM data centres
What about integration with established enterprise monitoring frameworks such as Openview CA or Microsoft SCOM
Console management limit on the number of deployed Canaries
Are ldquoCanarytokensrdquo part of tomorrowrsquos planning
Identification amp Authorisation
A new way forward
TokensTokens - In general a token is an object that represents something else such as another object (either physical or virtual) or an abstract concept In computer systems there are a number of types of tokens both hardware and software
In human terms a token of trust can exist between two parties with such levels of trust reinforced through personal introductions with other partiesA token generation amp management platform designed specifically for high security multi-services in public and private clouds
greatly enhances trustworthy information handling
Identification with Passwords Any directory service or managementplatform holding passwords becomes atarget by the attacker for credentialsrsquo theft
Passwords are fundamentally flawed Often easy to guess Are reused across different services Are written down or stored or shared Can be intercepted Are expensive to maintain 29 of all cybercrime is from stolen
passwords
Identification WITHOUT Password
The Problem The password has outlived itrsquos usefulness
Secure Cloudlinkrsquos Response Patented and highly secure tokenised message management
solution assures password redundancy User credentials are not transmitted stored or replicated Secure digital services - a snap for the user
Randomised encrypted key generation ndashno consistent key to be stolen
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
You might be feeling a bit like thishellip
Rabbit in the headlights
Or depending on your boardhellip
Possibly like this
The big question is hellip
Is this really an entirely new threat that we are facing
Our view
But there are some trends
― We are noticing more and larger breaches
― Breaches and data leaks are making the news ndash there is public media and regulatory interest
― The criminals are getting smarter
The threat is NOT new
lsquoCyberrsquo is a convenient label for information risk in the 21st Century
Our view ndash how do we respond
Pursue a strategy of defence-in-depth
Avoid our historic fixation on lsquothe perimeterrsquo This is not a purely technical problem
The solution is not necessarily a technical one Technical controls remain key
The weakest links are likely to beYour people
Your third party suppliers amp partners
And
So
But
Summary
― lsquoCyber threatrsquo is nothing new ndash in our view
― But it is serious
― Target defence in depth
― Staff contractors and suppliers are now your weakest link
― Get back to basics on information governance
― Apply technology solutions intelligently to support amp enable
History quiz
History quiz
Just how successful was it
Not very successful at
all
Perception versus reality
We think we are building thishellip
But we have potentially built thishellip
Case studies ndash poor practices
― October 2015
― Cause Simple (and old) technical exploit (executed by a 15 year-old boy)
― Immediate result 150000 customer records stolen (0ver 15000 full bank details)
― Incidentcrisis management extremely poor― CEO unprepared amp poorly briefed
― Scope of breach massively over-estimated
― Response ill-judged (500000 customers given lsquofree upgradersquo)
― Impacts― REPUTATION ndash Lost 95000 customers in year 1
― FINANCIAL ndash Current financial cost estimated at pound60m
― REGULATORY ndash Formally sanctioned by ICO (Fined 400k)
Case studies ndash insider threat
― December 2014
― Cause Malicious software deployed via lsquophishingrsquo attack used to obtain IDs and passwords
― Politically motivated
― Immediate result 100 terabytes of data stolen (the whole of the ldquocoukrdquo domain is only 68 Tb)
― Data included entire movies financials staff data salary data email records
― Data posted on the internet for download
― Impacts― REPUTATION ndash Deputy CEO forced to resign due to damaging email content
― FINANCIAL ndash Current financial cost estimated at $15m (impact reduced byinsurances and managed legal response)
Case studies ndash third party
― Spring 2014
― Cause Security compromise at third party AirCon and Ventilation contractor ndash access gained to Targetrsquos network
― Immediate result 70m customer records and 40m credit card records harvested across 1797 stores over extended period
― Data downloaded by criminals in Russia
― Impacts― FINANCIAL ndash Current financial cost to Target estimated at $61m (Industry-wide costs estimated at
$200m)
Get back to basics
― Itrsquos not just about the enemy at the gates (ie the perimeter)
― The perimeter is hard to define these days
― We cannot rely solely upon prevention ndash our detection and response capability must improve
We need to take the threat seriously
Get back to basics
― Technology and tools of the highest quality can be undermined by weaknesses in basic security practices
― Or by a flawed corporate culture
― CyberInformation risk is a problem for the entire business to resolve ndash not just IT
― Todayrsquos cyber criminals recognise this and exploit it by adopting a range of approaches which step away from the purely technical and exploit weaknesses in the way that organisations manage control and interact with their information
― A full frontal assault is unlikely to be profitable ndash an attacker will target compromise from the inside And they can be very patient
Get back to basics
Fundamentally addressing the Cyber Threat means going back to basics looking again at your organisation and the controls you already have
― Understanding your people ndash what threats do they pose After all there is no patch for stupidity
― Understanding your organisationrsquos information where it is and how it is used
― Identifying the main risks to physical and information assets
― Ensuring that the right measures are adopted to mitigate risk to within acceptable levels ndash balancing cost versus risk
Get back to basics ndash governance foundations
Unless the foundations of good information and security governance are working well any investment in security technology will most likely be wasted Fundamental areas for focus are
― Staff security training and awareness
― Robust oversight and management of third party suppliers
― Software amp hardware patch management
― Intelligent management amp admin of user access
― Clear policies on security acceptable system use and social media
People Process Tools In that order
Get back to basics ndash making it work
For effective and sustainable governance
― Setting maintaining and continuing to evolve the ldquotone at the toprdquo
― Monitoring of information risk management by the Board of Directors
― Ongoing practical and relevant awareness training
― Independent assurance
― Regular risk-based security testing Inside and outside the perimeter
What happens if a security breach occurs
― If a security breach occurs organisations that follow clearly documented plans to reduce the impact of the breach have a much better chance of staying out of the law courts and avoiding punishment
― Most organisations unfortunately dont have good systems for actually managing the problem If a breach occurs the law is really concerned with your behaviour at that point in time You cant unravel the past and pretend the breach didnt occur its what you do from that point on that will determine your culpability
― On top of having well documented systems and procedures organisations need to have clearly defined actions for dealing with a breach and limiting the damage to those affected This is likely to involve multiple disciplines that could include information security specialists IT resources a PR agency legal advice and credit reporting services
― If you adopt an honourable stance from the outset doing the right thing at the right time then your legal team is in a very strong position to defend you to the regulator arguing that youre not the kind of organisation that has the profile that requires all of the effect of the law and therefore the punishment
How to protect organisations from security breaches
― Take some basic steps to build a protective shieldrdquo most notably― Build a single unified security policy
― Ensure information security forms part of any contract initiation
― Make security part of the process when any project is initiated
― Employee adequacy ndash ensure you have processes for handling new employees changes of job and for employees exiting the company show that they were made aware of security requirements
― Third-party assurance ndash have processes in place to guard information held by third parties
― Culture ndash have a managerial structure in place that demonstrates a chain of responsibility for handling security and reporting errors― lsquoTone at the toprsquo
― Shared ownership of good practices
― Openness amp transparency ndash continuous improvement
State of the Nation ndash addressing Cyber RiskFour golden rules our plan is founded upon
Over 75 of attacks exploit failures to put in place basic controls
Get the basics right
You have to prioritize where you spend your money to defend yourself so build a fortress
around your most critical asset
Look after the crown jewels
Invest in understanding who might attack you why and how so that you can anticipate the most likely scenarios and defend those assets that are
most likely to get attacked
Do your homework on your enemies
Security and resilience can affect nearly every part of an organization Strategies to protect IT
security and business resiliency should align with an organizationrsquos broader goals ndash from protecting intellectual property to maximizing productivity to
finding new ways to delight customers
Treat cyber risk as an opportunity to look closely at your business
Solving the big lsquoBoard reporting problemrsquo in cyberJon Hawes Security Intelligence Strategist Panaseer
Cyber security insuranceGraeme Newman Chief Innovation OfficerCFC
Tackling the insider threatGarath Lauder Director CyberseerTed Plumis Vice President of Channels and Corporate Development Exabeam
Social engineering the art of the conRob Shapland Penetration Testing Team Manager First Base Technologies
Cryptography Basics Dr David Weston Lecturer in Computer Science and Information SystemsBirkbeck University of London
Tokens Honeypots Idenitfication Authorisation Services Ray Dalgarno Director CYBERCAST
Trust with ldquoTHISrdquo
TokensHoneypots
Identification Authorisation ServicesThe Confluence
Agenda
Warfare
Attack Surface Attribution Residency Deniability
Honeypots amp Tokens
Identification and Authorisation
Conclusion
WarfareSecurity through obscurity ndash
the reason the armed forces adopt camouflage
NHS Cyber Attacks ndash The Telegraph 1st Nov 2016
ldquohelliphacking is no longer the stuff of spy thrillers and action movies but a clear and present threathelliprdquo
ldquohellipBen Gummer minister for Cabinet says that large quantities of sensitive data held by the NHS and the Government is being targeted by hackershelliprdquo
ldquohellipMinisters will also unveil a Cyber Security Research Institute a virtual collection of UK universities which will work towards making passwords obsoletehelliprdquo
Cyber Fraud
ldquohellipOnline fraudsters stole pound109bn in the UK last yearhelliprdquo
ldquohellip39 (of respondents) questioned by ldquoGet Safe Onlinerdquo said they were a victim of cybercrime but did not report ithelliprdquo
ldquohellip53 received phishing messageshelliprdquo
Extract from The Telegraph 20th October 2016
Cyber Crime is a War ZoneldquoRouse him and learn the principle of his activity or inactivity Force him to reveal himself so as to find out his vulnerable spotsrdquoldquoIf you know the enemy and know yourself you need not fear the results of a hundred battlesrdquo
- Sun Tzu Military General Strategist amp Philosopher 5th Century BC ChinaDeception is a powerful effective but under utilised tool ndash (at least by defenders)
Full range of ldquoeffectsrdquo on adversaries possible through deception
Effects Attacker Defender
Fail to observe
Prevent the defender from detecting the attack Prevent the attacker from discovering their target
Reveal
Trick the defender into providing access Trick the attacker into revealing their presence
Waste Time
Focus the defenderrsquos attention on the wrong aspects of the incident
Focus the attackerrsquos efforts on the wrong target
Deception Effects - Attacker amp Defender
Operation Mincemeat - 1943
Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
Operation Mincemeat - 1943Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
This was accomplished by persuading the Germans that they had by accident intercepted top secret documents giving details of Allied war plans
Attack Surface Attribution Residency
DeniabilityFrom the living room to the boardroom
Attack Surface
From ordinary consumers to a single-office business through the regulatory bodies to the national and global giants
The environment dictates the approach ndash no ldquoSilver Bulletrdquo
Layered security ndash combining multiple mitigating security controls to cost effectively protect resources amp data
Attack AttributionAt which point in the attack do you realise that you have been hacked
TalkTalk DNC Yahoo
There are very few ldquosmoking gunsrdquo visible
Attacks that often begin with broadly targeted phishing that can introduce amp run new binaries on victims networks amp that connect to random internal hosts using exfiltrated credentials can still remain hidden for a year
Examples of Global IT Vendorsrsquo Vulnerabilities
Microsoft Microsoft August (2016) Patch Tuesday included five updates rated
critical out of a total of nine bringing the number of patches for the year-to-date at 103
SAP There are vulnerabilities in almost every SAP module CRM EP and SRM
are leaders among them ERPScan SAP Cyber Threat Report2016
Oracle MICROS (and others) In total more than one million PoS terminals around the world could be
at risk should the attacks prove to have been deeper than the companies are currently publicly admitting
Computing Aug
Dwell TimeResidency
Mandiant reported that attackers on average lurked on a network for 205 days before being discoveredsup1
Microsoft recently reported they place the number at more than 200 days to detect a security breach and 80 days to contain itsup2
1 httpswww2fireeyecomrsfireyeimagesrpt-m-trends-2015pdf2 httpsblogswindowscomwindowsexperience20160301announcing-windows-defender-advanced-threat-protection
Plausible Deniability amp Malware Intrusion
Plausible deniability refers to circumstances where a denial of responsibility or knowledge of wrong doing cannot be proved as true or untrue due to a lack of evidence proving the allegation
It is a basic law for the cheat and the deceiver Be able to offer up an excuse that cannot be disproved easily and that makes sense for the situation
Trickle-down Effects
Increasing rapidity of car-trickle-down yester-yearsrsquo top end car innovations eventually migrate through the models becoming standard options in lower-priced vehicles
This pattern of innovation holds true in virtually every field including cyber- security
Malware as a Service (MaaS) ndash moving from the heavily funded specialist cyber experts down into the mass market
MaaS now commonly available at very low cost through the darknet and sites such TOR I2p
Honeypots amp TokensEvolution Mimicry
Honeypots
Venus Flytrap in Action (triggered honeypot)
Trojan Horse (passive honeypot) Greeks built used to enter the city of Troy and win the 10 year Trojan war - 4th Century story
Cartography A trap street (passive honeypot) is a fictitious entry in the form of a misrepresented street for the purpose of trapping potential copyright violators
Tempting - moneypot
All minehelliphelliphellip
Ooops
Honeypot Principle
Focus on detecting threats Here wersquod like to know immediately someone has broken into the network
and in places they shouldnrsquot be
Ensure the honeypot looks appealing to the attacker The honeypot must look legitimate amp enticing
In this attack scenario the defender has particular advantage Once attackers initially land inside your internal network theyrsquore at a
disadvantage They donrsquot know the lay of the land and they need to explore it (reconnaissance) while remaining hidden
Defence through Deception
Deception is a highly effective solution for protecting environments used to confuse delay and redirect the enemy
Lured to the Canary Honeypot the attacker will be tricked into engaging with that device and believe they are being successful in their attack
Canary ndash Today and Tomorrow
Canary - great for remote sites but what about our VM data centres
What about integration with established enterprise monitoring frameworks such as Openview CA or Microsoft SCOM
Console management limit on the number of deployed Canaries
Are ldquoCanarytokensrdquo part of tomorrowrsquos planning
Identification amp Authorisation
A new way forward
TokensTokens - In general a token is an object that represents something else such as another object (either physical or virtual) or an abstract concept In computer systems there are a number of types of tokens both hardware and software
In human terms a token of trust can exist between two parties with such levels of trust reinforced through personal introductions with other partiesA token generation amp management platform designed specifically for high security multi-services in public and private clouds
greatly enhances trustworthy information handling
Identification with Passwords Any directory service or managementplatform holding passwords becomes atarget by the attacker for credentialsrsquo theft
Passwords are fundamentally flawed Often easy to guess Are reused across different services Are written down or stored or shared Can be intercepted Are expensive to maintain 29 of all cybercrime is from stolen
passwords
Identification WITHOUT Password
The Problem The password has outlived itrsquos usefulness
Secure Cloudlinkrsquos Response Patented and highly secure tokenised message management
solution assures password redundancy User credentials are not transmitted stored or replicated Secure digital services - a snap for the user
Randomised encrypted key generation ndashno consistent key to be stolen
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
Or depending on your boardhellip
Possibly like this
The big question is hellip
Is this really an entirely new threat that we are facing
Our view
But there are some trends
― We are noticing more and larger breaches
― Breaches and data leaks are making the news ndash there is public media and regulatory interest
― The criminals are getting smarter
The threat is NOT new
lsquoCyberrsquo is a convenient label for information risk in the 21st Century
Our view ndash how do we respond
Pursue a strategy of defence-in-depth
Avoid our historic fixation on lsquothe perimeterrsquo This is not a purely technical problem
The solution is not necessarily a technical one Technical controls remain key
The weakest links are likely to beYour people
Your third party suppliers amp partners
And
So
But
Summary
― lsquoCyber threatrsquo is nothing new ndash in our view
― But it is serious
― Target defence in depth
― Staff contractors and suppliers are now your weakest link
― Get back to basics on information governance
― Apply technology solutions intelligently to support amp enable
History quiz
History quiz
Just how successful was it
Not very successful at
all
Perception versus reality
We think we are building thishellip
But we have potentially built thishellip
Case studies ndash poor practices
― October 2015
― Cause Simple (and old) technical exploit (executed by a 15 year-old boy)
― Immediate result 150000 customer records stolen (0ver 15000 full bank details)
― Incidentcrisis management extremely poor― CEO unprepared amp poorly briefed
― Scope of breach massively over-estimated
― Response ill-judged (500000 customers given lsquofree upgradersquo)
― Impacts― REPUTATION ndash Lost 95000 customers in year 1
― FINANCIAL ndash Current financial cost estimated at pound60m
― REGULATORY ndash Formally sanctioned by ICO (Fined 400k)
Case studies ndash insider threat
― December 2014
― Cause Malicious software deployed via lsquophishingrsquo attack used to obtain IDs and passwords
― Politically motivated
― Immediate result 100 terabytes of data stolen (the whole of the ldquocoukrdquo domain is only 68 Tb)
― Data included entire movies financials staff data salary data email records
― Data posted on the internet for download
― Impacts― REPUTATION ndash Deputy CEO forced to resign due to damaging email content
― FINANCIAL ndash Current financial cost estimated at $15m (impact reduced byinsurances and managed legal response)
Case studies ndash third party
― Spring 2014
― Cause Security compromise at third party AirCon and Ventilation contractor ndash access gained to Targetrsquos network
― Immediate result 70m customer records and 40m credit card records harvested across 1797 stores over extended period
― Data downloaded by criminals in Russia
― Impacts― FINANCIAL ndash Current financial cost to Target estimated at $61m (Industry-wide costs estimated at
$200m)
Get back to basics
― Itrsquos not just about the enemy at the gates (ie the perimeter)
― The perimeter is hard to define these days
― We cannot rely solely upon prevention ndash our detection and response capability must improve
We need to take the threat seriously
Get back to basics
― Technology and tools of the highest quality can be undermined by weaknesses in basic security practices
― Or by a flawed corporate culture
― CyberInformation risk is a problem for the entire business to resolve ndash not just IT
― Todayrsquos cyber criminals recognise this and exploit it by adopting a range of approaches which step away from the purely technical and exploit weaknesses in the way that organisations manage control and interact with their information
― A full frontal assault is unlikely to be profitable ndash an attacker will target compromise from the inside And they can be very patient
Get back to basics
Fundamentally addressing the Cyber Threat means going back to basics looking again at your organisation and the controls you already have
― Understanding your people ndash what threats do they pose After all there is no patch for stupidity
― Understanding your organisationrsquos information where it is and how it is used
― Identifying the main risks to physical and information assets
― Ensuring that the right measures are adopted to mitigate risk to within acceptable levels ndash balancing cost versus risk
Get back to basics ndash governance foundations
Unless the foundations of good information and security governance are working well any investment in security technology will most likely be wasted Fundamental areas for focus are
― Staff security training and awareness
― Robust oversight and management of third party suppliers
― Software amp hardware patch management
― Intelligent management amp admin of user access
― Clear policies on security acceptable system use and social media
People Process Tools In that order
Get back to basics ndash making it work
For effective and sustainable governance
― Setting maintaining and continuing to evolve the ldquotone at the toprdquo
― Monitoring of information risk management by the Board of Directors
― Ongoing practical and relevant awareness training
― Independent assurance
― Regular risk-based security testing Inside and outside the perimeter
What happens if a security breach occurs
― If a security breach occurs organisations that follow clearly documented plans to reduce the impact of the breach have a much better chance of staying out of the law courts and avoiding punishment
― Most organisations unfortunately dont have good systems for actually managing the problem If a breach occurs the law is really concerned with your behaviour at that point in time You cant unravel the past and pretend the breach didnt occur its what you do from that point on that will determine your culpability
― On top of having well documented systems and procedures organisations need to have clearly defined actions for dealing with a breach and limiting the damage to those affected This is likely to involve multiple disciplines that could include information security specialists IT resources a PR agency legal advice and credit reporting services
― If you adopt an honourable stance from the outset doing the right thing at the right time then your legal team is in a very strong position to defend you to the regulator arguing that youre not the kind of organisation that has the profile that requires all of the effect of the law and therefore the punishment
How to protect organisations from security breaches
― Take some basic steps to build a protective shieldrdquo most notably― Build a single unified security policy
― Ensure information security forms part of any contract initiation
― Make security part of the process when any project is initiated
― Employee adequacy ndash ensure you have processes for handling new employees changes of job and for employees exiting the company show that they were made aware of security requirements
― Third-party assurance ndash have processes in place to guard information held by third parties
― Culture ndash have a managerial structure in place that demonstrates a chain of responsibility for handling security and reporting errors― lsquoTone at the toprsquo
― Shared ownership of good practices
― Openness amp transparency ndash continuous improvement
State of the Nation ndash addressing Cyber RiskFour golden rules our plan is founded upon
Over 75 of attacks exploit failures to put in place basic controls
Get the basics right
You have to prioritize where you spend your money to defend yourself so build a fortress
around your most critical asset
Look after the crown jewels
Invest in understanding who might attack you why and how so that you can anticipate the most likely scenarios and defend those assets that are
most likely to get attacked
Do your homework on your enemies
Security and resilience can affect nearly every part of an organization Strategies to protect IT
security and business resiliency should align with an organizationrsquos broader goals ndash from protecting intellectual property to maximizing productivity to
finding new ways to delight customers
Treat cyber risk as an opportunity to look closely at your business
Solving the big lsquoBoard reporting problemrsquo in cyberJon Hawes Security Intelligence Strategist Panaseer
Cyber security insuranceGraeme Newman Chief Innovation OfficerCFC
Tackling the insider threatGarath Lauder Director CyberseerTed Plumis Vice President of Channels and Corporate Development Exabeam
Social engineering the art of the conRob Shapland Penetration Testing Team Manager First Base Technologies
Cryptography Basics Dr David Weston Lecturer in Computer Science and Information SystemsBirkbeck University of London
Tokens Honeypots Idenitfication Authorisation Services Ray Dalgarno Director CYBERCAST
Trust with ldquoTHISrdquo
TokensHoneypots
Identification Authorisation ServicesThe Confluence
Agenda
Warfare
Attack Surface Attribution Residency Deniability
Honeypots amp Tokens
Identification and Authorisation
Conclusion
WarfareSecurity through obscurity ndash
the reason the armed forces adopt camouflage
NHS Cyber Attacks ndash The Telegraph 1st Nov 2016
ldquohelliphacking is no longer the stuff of spy thrillers and action movies but a clear and present threathelliprdquo
ldquohellipBen Gummer minister for Cabinet says that large quantities of sensitive data held by the NHS and the Government is being targeted by hackershelliprdquo
ldquohellipMinisters will also unveil a Cyber Security Research Institute a virtual collection of UK universities which will work towards making passwords obsoletehelliprdquo
Cyber Fraud
ldquohellipOnline fraudsters stole pound109bn in the UK last yearhelliprdquo
ldquohellip39 (of respondents) questioned by ldquoGet Safe Onlinerdquo said they were a victim of cybercrime but did not report ithelliprdquo
ldquohellip53 received phishing messageshelliprdquo
Extract from The Telegraph 20th October 2016
Cyber Crime is a War ZoneldquoRouse him and learn the principle of his activity or inactivity Force him to reveal himself so as to find out his vulnerable spotsrdquoldquoIf you know the enemy and know yourself you need not fear the results of a hundred battlesrdquo
- Sun Tzu Military General Strategist amp Philosopher 5th Century BC ChinaDeception is a powerful effective but under utilised tool ndash (at least by defenders)
Full range of ldquoeffectsrdquo on adversaries possible through deception
Effects Attacker Defender
Fail to observe
Prevent the defender from detecting the attack Prevent the attacker from discovering their target
Reveal
Trick the defender into providing access Trick the attacker into revealing their presence
Waste Time
Focus the defenderrsquos attention on the wrong aspects of the incident
Focus the attackerrsquos efforts on the wrong target
Deception Effects - Attacker amp Defender
Operation Mincemeat - 1943
Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
Operation Mincemeat - 1943Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
This was accomplished by persuading the Germans that they had by accident intercepted top secret documents giving details of Allied war plans
Attack Surface Attribution Residency
DeniabilityFrom the living room to the boardroom
Attack Surface
From ordinary consumers to a single-office business through the regulatory bodies to the national and global giants
The environment dictates the approach ndash no ldquoSilver Bulletrdquo
Layered security ndash combining multiple mitigating security controls to cost effectively protect resources amp data
Attack AttributionAt which point in the attack do you realise that you have been hacked
TalkTalk DNC Yahoo
There are very few ldquosmoking gunsrdquo visible
Attacks that often begin with broadly targeted phishing that can introduce amp run new binaries on victims networks amp that connect to random internal hosts using exfiltrated credentials can still remain hidden for a year
Examples of Global IT Vendorsrsquo Vulnerabilities
Microsoft Microsoft August (2016) Patch Tuesday included five updates rated
critical out of a total of nine bringing the number of patches for the year-to-date at 103
SAP There are vulnerabilities in almost every SAP module CRM EP and SRM
are leaders among them ERPScan SAP Cyber Threat Report2016
Oracle MICROS (and others) In total more than one million PoS terminals around the world could be
at risk should the attacks prove to have been deeper than the companies are currently publicly admitting
Computing Aug
Dwell TimeResidency
Mandiant reported that attackers on average lurked on a network for 205 days before being discoveredsup1
Microsoft recently reported they place the number at more than 200 days to detect a security breach and 80 days to contain itsup2
1 httpswww2fireeyecomrsfireyeimagesrpt-m-trends-2015pdf2 httpsblogswindowscomwindowsexperience20160301announcing-windows-defender-advanced-threat-protection
Plausible Deniability amp Malware Intrusion
Plausible deniability refers to circumstances where a denial of responsibility or knowledge of wrong doing cannot be proved as true or untrue due to a lack of evidence proving the allegation
It is a basic law for the cheat and the deceiver Be able to offer up an excuse that cannot be disproved easily and that makes sense for the situation
Trickle-down Effects
Increasing rapidity of car-trickle-down yester-yearsrsquo top end car innovations eventually migrate through the models becoming standard options in lower-priced vehicles
This pattern of innovation holds true in virtually every field including cyber- security
Malware as a Service (MaaS) ndash moving from the heavily funded specialist cyber experts down into the mass market
MaaS now commonly available at very low cost through the darknet and sites such TOR I2p
Honeypots amp TokensEvolution Mimicry
Honeypots
Venus Flytrap in Action (triggered honeypot)
Trojan Horse (passive honeypot) Greeks built used to enter the city of Troy and win the 10 year Trojan war - 4th Century story
Cartography A trap street (passive honeypot) is a fictitious entry in the form of a misrepresented street for the purpose of trapping potential copyright violators
Tempting - moneypot
All minehelliphelliphellip
Ooops
Honeypot Principle
Focus on detecting threats Here wersquod like to know immediately someone has broken into the network
and in places they shouldnrsquot be
Ensure the honeypot looks appealing to the attacker The honeypot must look legitimate amp enticing
In this attack scenario the defender has particular advantage Once attackers initially land inside your internal network theyrsquore at a
disadvantage They donrsquot know the lay of the land and they need to explore it (reconnaissance) while remaining hidden
Defence through Deception
Deception is a highly effective solution for protecting environments used to confuse delay and redirect the enemy
Lured to the Canary Honeypot the attacker will be tricked into engaging with that device and believe they are being successful in their attack
Canary ndash Today and Tomorrow
Canary - great for remote sites but what about our VM data centres
What about integration with established enterprise monitoring frameworks such as Openview CA or Microsoft SCOM
Console management limit on the number of deployed Canaries
Are ldquoCanarytokensrdquo part of tomorrowrsquos planning
Identification amp Authorisation
A new way forward
TokensTokens - In general a token is an object that represents something else such as another object (either physical or virtual) or an abstract concept In computer systems there are a number of types of tokens both hardware and software
In human terms a token of trust can exist between two parties with such levels of trust reinforced through personal introductions with other partiesA token generation amp management platform designed specifically for high security multi-services in public and private clouds
greatly enhances trustworthy information handling
Identification with Passwords Any directory service or managementplatform holding passwords becomes atarget by the attacker for credentialsrsquo theft
Passwords are fundamentally flawed Often easy to guess Are reused across different services Are written down or stored or shared Can be intercepted Are expensive to maintain 29 of all cybercrime is from stolen
passwords
Identification WITHOUT Password
The Problem The password has outlived itrsquos usefulness
Secure Cloudlinkrsquos Response Patented and highly secure tokenised message management
solution assures password redundancy User credentials are not transmitted stored or replicated Secure digital services - a snap for the user
Randomised encrypted key generation ndashno consistent key to be stolen
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
The big question is hellip
Is this really an entirely new threat that we are facing
Our view
But there are some trends
― We are noticing more and larger breaches
― Breaches and data leaks are making the news ndash there is public media and regulatory interest
― The criminals are getting smarter
The threat is NOT new
lsquoCyberrsquo is a convenient label for information risk in the 21st Century
Our view ndash how do we respond
Pursue a strategy of defence-in-depth
Avoid our historic fixation on lsquothe perimeterrsquo This is not a purely technical problem
The solution is not necessarily a technical one Technical controls remain key
The weakest links are likely to beYour people
Your third party suppliers amp partners
And
So
But
Summary
― lsquoCyber threatrsquo is nothing new ndash in our view
― But it is serious
― Target defence in depth
― Staff contractors and suppliers are now your weakest link
― Get back to basics on information governance
― Apply technology solutions intelligently to support amp enable
History quiz
History quiz
Just how successful was it
Not very successful at
all
Perception versus reality
We think we are building thishellip
But we have potentially built thishellip
Case studies ndash poor practices
― October 2015
― Cause Simple (and old) technical exploit (executed by a 15 year-old boy)
― Immediate result 150000 customer records stolen (0ver 15000 full bank details)
― Incidentcrisis management extremely poor― CEO unprepared amp poorly briefed
― Scope of breach massively over-estimated
― Response ill-judged (500000 customers given lsquofree upgradersquo)
― Impacts― REPUTATION ndash Lost 95000 customers in year 1
― FINANCIAL ndash Current financial cost estimated at pound60m
― REGULATORY ndash Formally sanctioned by ICO (Fined 400k)
Case studies ndash insider threat
― December 2014
― Cause Malicious software deployed via lsquophishingrsquo attack used to obtain IDs and passwords
― Politically motivated
― Immediate result 100 terabytes of data stolen (the whole of the ldquocoukrdquo domain is only 68 Tb)
― Data included entire movies financials staff data salary data email records
― Data posted on the internet for download
― Impacts― REPUTATION ndash Deputy CEO forced to resign due to damaging email content
― FINANCIAL ndash Current financial cost estimated at $15m (impact reduced byinsurances and managed legal response)
Case studies ndash third party
― Spring 2014
― Cause Security compromise at third party AirCon and Ventilation contractor ndash access gained to Targetrsquos network
― Immediate result 70m customer records and 40m credit card records harvested across 1797 stores over extended period
― Data downloaded by criminals in Russia
― Impacts― FINANCIAL ndash Current financial cost to Target estimated at $61m (Industry-wide costs estimated at
$200m)
Get back to basics
― Itrsquos not just about the enemy at the gates (ie the perimeter)
― The perimeter is hard to define these days
― We cannot rely solely upon prevention ndash our detection and response capability must improve
We need to take the threat seriously
Get back to basics
― Technology and tools of the highest quality can be undermined by weaknesses in basic security practices
― Or by a flawed corporate culture
― CyberInformation risk is a problem for the entire business to resolve ndash not just IT
― Todayrsquos cyber criminals recognise this and exploit it by adopting a range of approaches which step away from the purely technical and exploit weaknesses in the way that organisations manage control and interact with their information
― A full frontal assault is unlikely to be profitable ndash an attacker will target compromise from the inside And they can be very patient
Get back to basics
Fundamentally addressing the Cyber Threat means going back to basics looking again at your organisation and the controls you already have
― Understanding your people ndash what threats do they pose After all there is no patch for stupidity
― Understanding your organisationrsquos information where it is and how it is used
― Identifying the main risks to physical and information assets
― Ensuring that the right measures are adopted to mitigate risk to within acceptable levels ndash balancing cost versus risk
Get back to basics ndash governance foundations
Unless the foundations of good information and security governance are working well any investment in security technology will most likely be wasted Fundamental areas for focus are
― Staff security training and awareness
― Robust oversight and management of third party suppliers
― Software amp hardware patch management
― Intelligent management amp admin of user access
― Clear policies on security acceptable system use and social media
People Process Tools In that order
Get back to basics ndash making it work
For effective and sustainable governance
― Setting maintaining and continuing to evolve the ldquotone at the toprdquo
― Monitoring of information risk management by the Board of Directors
― Ongoing practical and relevant awareness training
― Independent assurance
― Regular risk-based security testing Inside and outside the perimeter
What happens if a security breach occurs
― If a security breach occurs organisations that follow clearly documented plans to reduce the impact of the breach have a much better chance of staying out of the law courts and avoiding punishment
― Most organisations unfortunately dont have good systems for actually managing the problem If a breach occurs the law is really concerned with your behaviour at that point in time You cant unravel the past and pretend the breach didnt occur its what you do from that point on that will determine your culpability
― On top of having well documented systems and procedures organisations need to have clearly defined actions for dealing with a breach and limiting the damage to those affected This is likely to involve multiple disciplines that could include information security specialists IT resources a PR agency legal advice and credit reporting services
― If you adopt an honourable stance from the outset doing the right thing at the right time then your legal team is in a very strong position to defend you to the regulator arguing that youre not the kind of organisation that has the profile that requires all of the effect of the law and therefore the punishment
How to protect organisations from security breaches
― Take some basic steps to build a protective shieldrdquo most notably― Build a single unified security policy
― Ensure information security forms part of any contract initiation
― Make security part of the process when any project is initiated
― Employee adequacy ndash ensure you have processes for handling new employees changes of job and for employees exiting the company show that they were made aware of security requirements
― Third-party assurance ndash have processes in place to guard information held by third parties
― Culture ndash have a managerial structure in place that demonstrates a chain of responsibility for handling security and reporting errors― lsquoTone at the toprsquo
― Shared ownership of good practices
― Openness amp transparency ndash continuous improvement
State of the Nation ndash addressing Cyber RiskFour golden rules our plan is founded upon
Over 75 of attacks exploit failures to put in place basic controls
Get the basics right
You have to prioritize where you spend your money to defend yourself so build a fortress
around your most critical asset
Look after the crown jewels
Invest in understanding who might attack you why and how so that you can anticipate the most likely scenarios and defend those assets that are
most likely to get attacked
Do your homework on your enemies
Security and resilience can affect nearly every part of an organization Strategies to protect IT
security and business resiliency should align with an organizationrsquos broader goals ndash from protecting intellectual property to maximizing productivity to
finding new ways to delight customers
Treat cyber risk as an opportunity to look closely at your business
Solving the big lsquoBoard reporting problemrsquo in cyberJon Hawes Security Intelligence Strategist Panaseer
Cyber security insuranceGraeme Newman Chief Innovation OfficerCFC
Tackling the insider threatGarath Lauder Director CyberseerTed Plumis Vice President of Channels and Corporate Development Exabeam
Social engineering the art of the conRob Shapland Penetration Testing Team Manager First Base Technologies
Cryptography Basics Dr David Weston Lecturer in Computer Science and Information SystemsBirkbeck University of London
Tokens Honeypots Idenitfication Authorisation Services Ray Dalgarno Director CYBERCAST
Trust with ldquoTHISrdquo
TokensHoneypots
Identification Authorisation ServicesThe Confluence
Agenda
Warfare
Attack Surface Attribution Residency Deniability
Honeypots amp Tokens
Identification and Authorisation
Conclusion
WarfareSecurity through obscurity ndash
the reason the armed forces adopt camouflage
NHS Cyber Attacks ndash The Telegraph 1st Nov 2016
ldquohelliphacking is no longer the stuff of spy thrillers and action movies but a clear and present threathelliprdquo
ldquohellipBen Gummer minister for Cabinet says that large quantities of sensitive data held by the NHS and the Government is being targeted by hackershelliprdquo
ldquohellipMinisters will also unveil a Cyber Security Research Institute a virtual collection of UK universities which will work towards making passwords obsoletehelliprdquo
Cyber Fraud
ldquohellipOnline fraudsters stole pound109bn in the UK last yearhelliprdquo
ldquohellip39 (of respondents) questioned by ldquoGet Safe Onlinerdquo said they were a victim of cybercrime but did not report ithelliprdquo
ldquohellip53 received phishing messageshelliprdquo
Extract from The Telegraph 20th October 2016
Cyber Crime is a War ZoneldquoRouse him and learn the principle of his activity or inactivity Force him to reveal himself so as to find out his vulnerable spotsrdquoldquoIf you know the enemy and know yourself you need not fear the results of a hundred battlesrdquo
- Sun Tzu Military General Strategist amp Philosopher 5th Century BC ChinaDeception is a powerful effective but under utilised tool ndash (at least by defenders)
Full range of ldquoeffectsrdquo on adversaries possible through deception
Effects Attacker Defender
Fail to observe
Prevent the defender from detecting the attack Prevent the attacker from discovering their target
Reveal
Trick the defender into providing access Trick the attacker into revealing their presence
Waste Time
Focus the defenderrsquos attention on the wrong aspects of the incident
Focus the attackerrsquos efforts on the wrong target
Deception Effects - Attacker amp Defender
Operation Mincemeat - 1943
Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
Operation Mincemeat - 1943Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
This was accomplished by persuading the Germans that they had by accident intercepted top secret documents giving details of Allied war plans
Attack Surface Attribution Residency
DeniabilityFrom the living room to the boardroom
Attack Surface
From ordinary consumers to a single-office business through the regulatory bodies to the national and global giants
The environment dictates the approach ndash no ldquoSilver Bulletrdquo
Layered security ndash combining multiple mitigating security controls to cost effectively protect resources amp data
Attack AttributionAt which point in the attack do you realise that you have been hacked
TalkTalk DNC Yahoo
There are very few ldquosmoking gunsrdquo visible
Attacks that often begin with broadly targeted phishing that can introduce amp run new binaries on victims networks amp that connect to random internal hosts using exfiltrated credentials can still remain hidden for a year
Examples of Global IT Vendorsrsquo Vulnerabilities
Microsoft Microsoft August (2016) Patch Tuesday included five updates rated
critical out of a total of nine bringing the number of patches for the year-to-date at 103
SAP There are vulnerabilities in almost every SAP module CRM EP and SRM
are leaders among them ERPScan SAP Cyber Threat Report2016
Oracle MICROS (and others) In total more than one million PoS terminals around the world could be
at risk should the attacks prove to have been deeper than the companies are currently publicly admitting
Computing Aug
Dwell TimeResidency
Mandiant reported that attackers on average lurked on a network for 205 days before being discoveredsup1
Microsoft recently reported they place the number at more than 200 days to detect a security breach and 80 days to contain itsup2
1 httpswww2fireeyecomrsfireyeimagesrpt-m-trends-2015pdf2 httpsblogswindowscomwindowsexperience20160301announcing-windows-defender-advanced-threat-protection
Plausible Deniability amp Malware Intrusion
Plausible deniability refers to circumstances where a denial of responsibility or knowledge of wrong doing cannot be proved as true or untrue due to a lack of evidence proving the allegation
It is a basic law for the cheat and the deceiver Be able to offer up an excuse that cannot be disproved easily and that makes sense for the situation
Trickle-down Effects
Increasing rapidity of car-trickle-down yester-yearsrsquo top end car innovations eventually migrate through the models becoming standard options in lower-priced vehicles
This pattern of innovation holds true in virtually every field including cyber- security
Malware as a Service (MaaS) ndash moving from the heavily funded specialist cyber experts down into the mass market
MaaS now commonly available at very low cost through the darknet and sites such TOR I2p
Honeypots amp TokensEvolution Mimicry
Honeypots
Venus Flytrap in Action (triggered honeypot)
Trojan Horse (passive honeypot) Greeks built used to enter the city of Troy and win the 10 year Trojan war - 4th Century story
Cartography A trap street (passive honeypot) is a fictitious entry in the form of a misrepresented street for the purpose of trapping potential copyright violators
Tempting - moneypot
All minehelliphelliphellip
Ooops
Honeypot Principle
Focus on detecting threats Here wersquod like to know immediately someone has broken into the network
and in places they shouldnrsquot be
Ensure the honeypot looks appealing to the attacker The honeypot must look legitimate amp enticing
In this attack scenario the defender has particular advantage Once attackers initially land inside your internal network theyrsquore at a
disadvantage They donrsquot know the lay of the land and they need to explore it (reconnaissance) while remaining hidden
Defence through Deception
Deception is a highly effective solution for protecting environments used to confuse delay and redirect the enemy
Lured to the Canary Honeypot the attacker will be tricked into engaging with that device and believe they are being successful in their attack
Canary ndash Today and Tomorrow
Canary - great for remote sites but what about our VM data centres
What about integration with established enterprise monitoring frameworks such as Openview CA or Microsoft SCOM
Console management limit on the number of deployed Canaries
Are ldquoCanarytokensrdquo part of tomorrowrsquos planning
Identification amp Authorisation
A new way forward
TokensTokens - In general a token is an object that represents something else such as another object (either physical or virtual) or an abstract concept In computer systems there are a number of types of tokens both hardware and software
In human terms a token of trust can exist between two parties with such levels of trust reinforced through personal introductions with other partiesA token generation amp management platform designed specifically for high security multi-services in public and private clouds
greatly enhances trustworthy information handling
Identification with Passwords Any directory service or managementplatform holding passwords becomes atarget by the attacker for credentialsrsquo theft
Passwords are fundamentally flawed Often easy to guess Are reused across different services Are written down or stored or shared Can be intercepted Are expensive to maintain 29 of all cybercrime is from stolen
passwords
Identification WITHOUT Password
The Problem The password has outlived itrsquos usefulness
Secure Cloudlinkrsquos Response Patented and highly secure tokenised message management
solution assures password redundancy User credentials are not transmitted stored or replicated Secure digital services - a snap for the user
Randomised encrypted key generation ndashno consistent key to be stolen
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
Our view
But there are some trends
― We are noticing more and larger breaches
― Breaches and data leaks are making the news ndash there is public media and regulatory interest
― The criminals are getting smarter
The threat is NOT new
lsquoCyberrsquo is a convenient label for information risk in the 21st Century
Our view ndash how do we respond
Pursue a strategy of defence-in-depth
Avoid our historic fixation on lsquothe perimeterrsquo This is not a purely technical problem
The solution is not necessarily a technical one Technical controls remain key
The weakest links are likely to beYour people
Your third party suppliers amp partners
And
So
But
Summary
― lsquoCyber threatrsquo is nothing new ndash in our view
― But it is serious
― Target defence in depth
― Staff contractors and suppliers are now your weakest link
― Get back to basics on information governance
― Apply technology solutions intelligently to support amp enable
History quiz
History quiz
Just how successful was it
Not very successful at
all
Perception versus reality
We think we are building thishellip
But we have potentially built thishellip
Case studies ndash poor practices
― October 2015
― Cause Simple (and old) technical exploit (executed by a 15 year-old boy)
― Immediate result 150000 customer records stolen (0ver 15000 full bank details)
― Incidentcrisis management extremely poor― CEO unprepared amp poorly briefed
― Scope of breach massively over-estimated
― Response ill-judged (500000 customers given lsquofree upgradersquo)
― Impacts― REPUTATION ndash Lost 95000 customers in year 1
― FINANCIAL ndash Current financial cost estimated at pound60m
― REGULATORY ndash Formally sanctioned by ICO (Fined 400k)
Case studies ndash insider threat
― December 2014
― Cause Malicious software deployed via lsquophishingrsquo attack used to obtain IDs and passwords
― Politically motivated
― Immediate result 100 terabytes of data stolen (the whole of the ldquocoukrdquo domain is only 68 Tb)
― Data included entire movies financials staff data salary data email records
― Data posted on the internet for download
― Impacts― REPUTATION ndash Deputy CEO forced to resign due to damaging email content
― FINANCIAL ndash Current financial cost estimated at $15m (impact reduced byinsurances and managed legal response)
Case studies ndash third party
― Spring 2014
― Cause Security compromise at third party AirCon and Ventilation contractor ndash access gained to Targetrsquos network
― Immediate result 70m customer records and 40m credit card records harvested across 1797 stores over extended period
― Data downloaded by criminals in Russia
― Impacts― FINANCIAL ndash Current financial cost to Target estimated at $61m (Industry-wide costs estimated at
$200m)
Get back to basics
― Itrsquos not just about the enemy at the gates (ie the perimeter)
― The perimeter is hard to define these days
― We cannot rely solely upon prevention ndash our detection and response capability must improve
We need to take the threat seriously
Get back to basics
― Technology and tools of the highest quality can be undermined by weaknesses in basic security practices
― Or by a flawed corporate culture
― CyberInformation risk is a problem for the entire business to resolve ndash not just IT
― Todayrsquos cyber criminals recognise this and exploit it by adopting a range of approaches which step away from the purely technical and exploit weaknesses in the way that organisations manage control and interact with their information
― A full frontal assault is unlikely to be profitable ndash an attacker will target compromise from the inside And they can be very patient
Get back to basics
Fundamentally addressing the Cyber Threat means going back to basics looking again at your organisation and the controls you already have
― Understanding your people ndash what threats do they pose After all there is no patch for stupidity
― Understanding your organisationrsquos information where it is and how it is used
― Identifying the main risks to physical and information assets
― Ensuring that the right measures are adopted to mitigate risk to within acceptable levels ndash balancing cost versus risk
Get back to basics ndash governance foundations
Unless the foundations of good information and security governance are working well any investment in security technology will most likely be wasted Fundamental areas for focus are
― Staff security training and awareness
― Robust oversight and management of third party suppliers
― Software amp hardware patch management
― Intelligent management amp admin of user access
― Clear policies on security acceptable system use and social media
People Process Tools In that order
Get back to basics ndash making it work
For effective and sustainable governance
― Setting maintaining and continuing to evolve the ldquotone at the toprdquo
― Monitoring of information risk management by the Board of Directors
― Ongoing practical and relevant awareness training
― Independent assurance
― Regular risk-based security testing Inside and outside the perimeter
What happens if a security breach occurs
― If a security breach occurs organisations that follow clearly documented plans to reduce the impact of the breach have a much better chance of staying out of the law courts and avoiding punishment
― Most organisations unfortunately dont have good systems for actually managing the problem If a breach occurs the law is really concerned with your behaviour at that point in time You cant unravel the past and pretend the breach didnt occur its what you do from that point on that will determine your culpability
― On top of having well documented systems and procedures organisations need to have clearly defined actions for dealing with a breach and limiting the damage to those affected This is likely to involve multiple disciplines that could include information security specialists IT resources a PR agency legal advice and credit reporting services
― If you adopt an honourable stance from the outset doing the right thing at the right time then your legal team is in a very strong position to defend you to the regulator arguing that youre not the kind of organisation that has the profile that requires all of the effect of the law and therefore the punishment
How to protect organisations from security breaches
― Take some basic steps to build a protective shieldrdquo most notably― Build a single unified security policy
― Ensure information security forms part of any contract initiation
― Make security part of the process when any project is initiated
― Employee adequacy ndash ensure you have processes for handling new employees changes of job and for employees exiting the company show that they were made aware of security requirements
― Third-party assurance ndash have processes in place to guard information held by third parties
― Culture ndash have a managerial structure in place that demonstrates a chain of responsibility for handling security and reporting errors― lsquoTone at the toprsquo
― Shared ownership of good practices
― Openness amp transparency ndash continuous improvement
State of the Nation ndash addressing Cyber RiskFour golden rules our plan is founded upon
Over 75 of attacks exploit failures to put in place basic controls
Get the basics right
You have to prioritize where you spend your money to defend yourself so build a fortress
around your most critical asset
Look after the crown jewels
Invest in understanding who might attack you why and how so that you can anticipate the most likely scenarios and defend those assets that are
most likely to get attacked
Do your homework on your enemies
Security and resilience can affect nearly every part of an organization Strategies to protect IT
security and business resiliency should align with an organizationrsquos broader goals ndash from protecting intellectual property to maximizing productivity to
finding new ways to delight customers
Treat cyber risk as an opportunity to look closely at your business
Solving the big lsquoBoard reporting problemrsquo in cyberJon Hawes Security Intelligence Strategist Panaseer
Cyber security insuranceGraeme Newman Chief Innovation OfficerCFC
Tackling the insider threatGarath Lauder Director CyberseerTed Plumis Vice President of Channels and Corporate Development Exabeam
Social engineering the art of the conRob Shapland Penetration Testing Team Manager First Base Technologies
Cryptography Basics Dr David Weston Lecturer in Computer Science and Information SystemsBirkbeck University of London
Tokens Honeypots Idenitfication Authorisation Services Ray Dalgarno Director CYBERCAST
Trust with ldquoTHISrdquo
TokensHoneypots
Identification Authorisation ServicesThe Confluence
Agenda
Warfare
Attack Surface Attribution Residency Deniability
Honeypots amp Tokens
Identification and Authorisation
Conclusion
WarfareSecurity through obscurity ndash
the reason the armed forces adopt camouflage
NHS Cyber Attacks ndash The Telegraph 1st Nov 2016
ldquohelliphacking is no longer the stuff of spy thrillers and action movies but a clear and present threathelliprdquo
ldquohellipBen Gummer minister for Cabinet says that large quantities of sensitive data held by the NHS and the Government is being targeted by hackershelliprdquo
ldquohellipMinisters will also unveil a Cyber Security Research Institute a virtual collection of UK universities which will work towards making passwords obsoletehelliprdquo
Cyber Fraud
ldquohellipOnline fraudsters stole pound109bn in the UK last yearhelliprdquo
ldquohellip39 (of respondents) questioned by ldquoGet Safe Onlinerdquo said they were a victim of cybercrime but did not report ithelliprdquo
ldquohellip53 received phishing messageshelliprdquo
Extract from The Telegraph 20th October 2016
Cyber Crime is a War ZoneldquoRouse him and learn the principle of his activity or inactivity Force him to reveal himself so as to find out his vulnerable spotsrdquoldquoIf you know the enemy and know yourself you need not fear the results of a hundred battlesrdquo
- Sun Tzu Military General Strategist amp Philosopher 5th Century BC ChinaDeception is a powerful effective but under utilised tool ndash (at least by defenders)
Full range of ldquoeffectsrdquo on adversaries possible through deception
Effects Attacker Defender
Fail to observe
Prevent the defender from detecting the attack Prevent the attacker from discovering their target
Reveal
Trick the defender into providing access Trick the attacker into revealing their presence
Waste Time
Focus the defenderrsquos attention on the wrong aspects of the incident
Focus the attackerrsquos efforts on the wrong target
Deception Effects - Attacker amp Defender
Operation Mincemeat - 1943
Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
Operation Mincemeat - 1943Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
This was accomplished by persuading the Germans that they had by accident intercepted top secret documents giving details of Allied war plans
Attack Surface Attribution Residency
DeniabilityFrom the living room to the boardroom
Attack Surface
From ordinary consumers to a single-office business through the regulatory bodies to the national and global giants
The environment dictates the approach ndash no ldquoSilver Bulletrdquo
Layered security ndash combining multiple mitigating security controls to cost effectively protect resources amp data
Attack AttributionAt which point in the attack do you realise that you have been hacked
TalkTalk DNC Yahoo
There are very few ldquosmoking gunsrdquo visible
Attacks that often begin with broadly targeted phishing that can introduce amp run new binaries on victims networks amp that connect to random internal hosts using exfiltrated credentials can still remain hidden for a year
Examples of Global IT Vendorsrsquo Vulnerabilities
Microsoft Microsoft August (2016) Patch Tuesday included five updates rated
critical out of a total of nine bringing the number of patches for the year-to-date at 103
SAP There are vulnerabilities in almost every SAP module CRM EP and SRM
are leaders among them ERPScan SAP Cyber Threat Report2016
Oracle MICROS (and others) In total more than one million PoS terminals around the world could be
at risk should the attacks prove to have been deeper than the companies are currently publicly admitting
Computing Aug
Dwell TimeResidency
Mandiant reported that attackers on average lurked on a network for 205 days before being discoveredsup1
Microsoft recently reported they place the number at more than 200 days to detect a security breach and 80 days to contain itsup2
1 httpswww2fireeyecomrsfireyeimagesrpt-m-trends-2015pdf2 httpsblogswindowscomwindowsexperience20160301announcing-windows-defender-advanced-threat-protection
Plausible Deniability amp Malware Intrusion
Plausible deniability refers to circumstances where a denial of responsibility or knowledge of wrong doing cannot be proved as true or untrue due to a lack of evidence proving the allegation
It is a basic law for the cheat and the deceiver Be able to offer up an excuse that cannot be disproved easily and that makes sense for the situation
Trickle-down Effects
Increasing rapidity of car-trickle-down yester-yearsrsquo top end car innovations eventually migrate through the models becoming standard options in lower-priced vehicles
This pattern of innovation holds true in virtually every field including cyber- security
Malware as a Service (MaaS) ndash moving from the heavily funded specialist cyber experts down into the mass market
MaaS now commonly available at very low cost through the darknet and sites such TOR I2p
Honeypots amp TokensEvolution Mimicry
Honeypots
Venus Flytrap in Action (triggered honeypot)
Trojan Horse (passive honeypot) Greeks built used to enter the city of Troy and win the 10 year Trojan war - 4th Century story
Cartography A trap street (passive honeypot) is a fictitious entry in the form of a misrepresented street for the purpose of trapping potential copyright violators
Tempting - moneypot
All minehelliphelliphellip
Ooops
Honeypot Principle
Focus on detecting threats Here wersquod like to know immediately someone has broken into the network
and in places they shouldnrsquot be
Ensure the honeypot looks appealing to the attacker The honeypot must look legitimate amp enticing
In this attack scenario the defender has particular advantage Once attackers initially land inside your internal network theyrsquore at a
disadvantage They donrsquot know the lay of the land and they need to explore it (reconnaissance) while remaining hidden
Defence through Deception
Deception is a highly effective solution for protecting environments used to confuse delay and redirect the enemy
Lured to the Canary Honeypot the attacker will be tricked into engaging with that device and believe they are being successful in their attack
Canary ndash Today and Tomorrow
Canary - great for remote sites but what about our VM data centres
What about integration with established enterprise monitoring frameworks such as Openview CA or Microsoft SCOM
Console management limit on the number of deployed Canaries
Are ldquoCanarytokensrdquo part of tomorrowrsquos planning
Identification amp Authorisation
A new way forward
TokensTokens - In general a token is an object that represents something else such as another object (either physical or virtual) or an abstract concept In computer systems there are a number of types of tokens both hardware and software
In human terms a token of trust can exist between two parties with such levels of trust reinforced through personal introductions with other partiesA token generation amp management platform designed specifically for high security multi-services in public and private clouds
greatly enhances trustworthy information handling
Identification with Passwords Any directory service or managementplatform holding passwords becomes atarget by the attacker for credentialsrsquo theft
Passwords are fundamentally flawed Often easy to guess Are reused across different services Are written down or stored or shared Can be intercepted Are expensive to maintain 29 of all cybercrime is from stolen
passwords
Identification WITHOUT Password
The Problem The password has outlived itrsquos usefulness
Secure Cloudlinkrsquos Response Patented and highly secure tokenised message management
solution assures password redundancy User credentials are not transmitted stored or replicated Secure digital services - a snap for the user
Randomised encrypted key generation ndashno consistent key to be stolen
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
Our view ndash how do we respond
Pursue a strategy of defence-in-depth
Avoid our historic fixation on lsquothe perimeterrsquo This is not a purely technical problem
The solution is not necessarily a technical one Technical controls remain key
The weakest links are likely to beYour people
Your third party suppliers amp partners
And
So
But
Summary
― lsquoCyber threatrsquo is nothing new ndash in our view
― But it is serious
― Target defence in depth
― Staff contractors and suppliers are now your weakest link
― Get back to basics on information governance
― Apply technology solutions intelligently to support amp enable
History quiz
History quiz
Just how successful was it
Not very successful at
all
Perception versus reality
We think we are building thishellip
But we have potentially built thishellip
Case studies ndash poor practices
― October 2015
― Cause Simple (and old) technical exploit (executed by a 15 year-old boy)
― Immediate result 150000 customer records stolen (0ver 15000 full bank details)
― Incidentcrisis management extremely poor― CEO unprepared amp poorly briefed
― Scope of breach massively over-estimated
― Response ill-judged (500000 customers given lsquofree upgradersquo)
― Impacts― REPUTATION ndash Lost 95000 customers in year 1
― FINANCIAL ndash Current financial cost estimated at pound60m
― REGULATORY ndash Formally sanctioned by ICO (Fined 400k)
Case studies ndash insider threat
― December 2014
― Cause Malicious software deployed via lsquophishingrsquo attack used to obtain IDs and passwords
― Politically motivated
― Immediate result 100 terabytes of data stolen (the whole of the ldquocoukrdquo domain is only 68 Tb)
― Data included entire movies financials staff data salary data email records
― Data posted on the internet for download
― Impacts― REPUTATION ndash Deputy CEO forced to resign due to damaging email content
― FINANCIAL ndash Current financial cost estimated at $15m (impact reduced byinsurances and managed legal response)
Case studies ndash third party
― Spring 2014
― Cause Security compromise at third party AirCon and Ventilation contractor ndash access gained to Targetrsquos network
― Immediate result 70m customer records and 40m credit card records harvested across 1797 stores over extended period
― Data downloaded by criminals in Russia
― Impacts― FINANCIAL ndash Current financial cost to Target estimated at $61m (Industry-wide costs estimated at
$200m)
Get back to basics
― Itrsquos not just about the enemy at the gates (ie the perimeter)
― The perimeter is hard to define these days
― We cannot rely solely upon prevention ndash our detection and response capability must improve
We need to take the threat seriously
Get back to basics
― Technology and tools of the highest quality can be undermined by weaknesses in basic security practices
― Or by a flawed corporate culture
― CyberInformation risk is a problem for the entire business to resolve ndash not just IT
― Todayrsquos cyber criminals recognise this and exploit it by adopting a range of approaches which step away from the purely technical and exploit weaknesses in the way that organisations manage control and interact with their information
― A full frontal assault is unlikely to be profitable ndash an attacker will target compromise from the inside And they can be very patient
Get back to basics
Fundamentally addressing the Cyber Threat means going back to basics looking again at your organisation and the controls you already have
― Understanding your people ndash what threats do they pose After all there is no patch for stupidity
― Understanding your organisationrsquos information where it is and how it is used
― Identifying the main risks to physical and information assets
― Ensuring that the right measures are adopted to mitigate risk to within acceptable levels ndash balancing cost versus risk
Get back to basics ndash governance foundations
Unless the foundations of good information and security governance are working well any investment in security technology will most likely be wasted Fundamental areas for focus are
― Staff security training and awareness
― Robust oversight and management of third party suppliers
― Software amp hardware patch management
― Intelligent management amp admin of user access
― Clear policies on security acceptable system use and social media
People Process Tools In that order
Get back to basics ndash making it work
For effective and sustainable governance
― Setting maintaining and continuing to evolve the ldquotone at the toprdquo
― Monitoring of information risk management by the Board of Directors
― Ongoing practical and relevant awareness training
― Independent assurance
― Regular risk-based security testing Inside and outside the perimeter
What happens if a security breach occurs
― If a security breach occurs organisations that follow clearly documented plans to reduce the impact of the breach have a much better chance of staying out of the law courts and avoiding punishment
― Most organisations unfortunately dont have good systems for actually managing the problem If a breach occurs the law is really concerned with your behaviour at that point in time You cant unravel the past and pretend the breach didnt occur its what you do from that point on that will determine your culpability
― On top of having well documented systems and procedures organisations need to have clearly defined actions for dealing with a breach and limiting the damage to those affected This is likely to involve multiple disciplines that could include information security specialists IT resources a PR agency legal advice and credit reporting services
― If you adopt an honourable stance from the outset doing the right thing at the right time then your legal team is in a very strong position to defend you to the regulator arguing that youre not the kind of organisation that has the profile that requires all of the effect of the law and therefore the punishment
How to protect organisations from security breaches
― Take some basic steps to build a protective shieldrdquo most notably― Build a single unified security policy
― Ensure information security forms part of any contract initiation
― Make security part of the process when any project is initiated
― Employee adequacy ndash ensure you have processes for handling new employees changes of job and for employees exiting the company show that they were made aware of security requirements
― Third-party assurance ndash have processes in place to guard information held by third parties
― Culture ndash have a managerial structure in place that demonstrates a chain of responsibility for handling security and reporting errors― lsquoTone at the toprsquo
― Shared ownership of good practices
― Openness amp transparency ndash continuous improvement
State of the Nation ndash addressing Cyber RiskFour golden rules our plan is founded upon
Over 75 of attacks exploit failures to put in place basic controls
Get the basics right
You have to prioritize where you spend your money to defend yourself so build a fortress
around your most critical asset
Look after the crown jewels
Invest in understanding who might attack you why and how so that you can anticipate the most likely scenarios and defend those assets that are
most likely to get attacked
Do your homework on your enemies
Security and resilience can affect nearly every part of an organization Strategies to protect IT
security and business resiliency should align with an organizationrsquos broader goals ndash from protecting intellectual property to maximizing productivity to
finding new ways to delight customers
Treat cyber risk as an opportunity to look closely at your business
Solving the big lsquoBoard reporting problemrsquo in cyberJon Hawes Security Intelligence Strategist Panaseer
Cyber security insuranceGraeme Newman Chief Innovation OfficerCFC
Tackling the insider threatGarath Lauder Director CyberseerTed Plumis Vice President of Channels and Corporate Development Exabeam
Social engineering the art of the conRob Shapland Penetration Testing Team Manager First Base Technologies
Cryptography Basics Dr David Weston Lecturer in Computer Science and Information SystemsBirkbeck University of London
Tokens Honeypots Idenitfication Authorisation Services Ray Dalgarno Director CYBERCAST
Trust with ldquoTHISrdquo
TokensHoneypots
Identification Authorisation ServicesThe Confluence
Agenda
Warfare
Attack Surface Attribution Residency Deniability
Honeypots amp Tokens
Identification and Authorisation
Conclusion
WarfareSecurity through obscurity ndash
the reason the armed forces adopt camouflage
NHS Cyber Attacks ndash The Telegraph 1st Nov 2016
ldquohelliphacking is no longer the stuff of spy thrillers and action movies but a clear and present threathelliprdquo
ldquohellipBen Gummer minister for Cabinet says that large quantities of sensitive data held by the NHS and the Government is being targeted by hackershelliprdquo
ldquohellipMinisters will also unveil a Cyber Security Research Institute a virtual collection of UK universities which will work towards making passwords obsoletehelliprdquo
Cyber Fraud
ldquohellipOnline fraudsters stole pound109bn in the UK last yearhelliprdquo
ldquohellip39 (of respondents) questioned by ldquoGet Safe Onlinerdquo said they were a victim of cybercrime but did not report ithelliprdquo
ldquohellip53 received phishing messageshelliprdquo
Extract from The Telegraph 20th October 2016
Cyber Crime is a War ZoneldquoRouse him and learn the principle of his activity or inactivity Force him to reveal himself so as to find out his vulnerable spotsrdquoldquoIf you know the enemy and know yourself you need not fear the results of a hundred battlesrdquo
- Sun Tzu Military General Strategist amp Philosopher 5th Century BC ChinaDeception is a powerful effective but under utilised tool ndash (at least by defenders)
Full range of ldquoeffectsrdquo on adversaries possible through deception
Effects Attacker Defender
Fail to observe
Prevent the defender from detecting the attack Prevent the attacker from discovering their target
Reveal
Trick the defender into providing access Trick the attacker into revealing their presence
Waste Time
Focus the defenderrsquos attention on the wrong aspects of the incident
Focus the attackerrsquos efforts on the wrong target
Deception Effects - Attacker amp Defender
Operation Mincemeat - 1943
Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
Operation Mincemeat - 1943Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
This was accomplished by persuading the Germans that they had by accident intercepted top secret documents giving details of Allied war plans
Attack Surface Attribution Residency
DeniabilityFrom the living room to the boardroom
Attack Surface
From ordinary consumers to a single-office business through the regulatory bodies to the national and global giants
The environment dictates the approach ndash no ldquoSilver Bulletrdquo
Layered security ndash combining multiple mitigating security controls to cost effectively protect resources amp data
Attack AttributionAt which point in the attack do you realise that you have been hacked
TalkTalk DNC Yahoo
There are very few ldquosmoking gunsrdquo visible
Attacks that often begin with broadly targeted phishing that can introduce amp run new binaries on victims networks amp that connect to random internal hosts using exfiltrated credentials can still remain hidden for a year
Examples of Global IT Vendorsrsquo Vulnerabilities
Microsoft Microsoft August (2016) Patch Tuesday included five updates rated
critical out of a total of nine bringing the number of patches for the year-to-date at 103
SAP There are vulnerabilities in almost every SAP module CRM EP and SRM
are leaders among them ERPScan SAP Cyber Threat Report2016
Oracle MICROS (and others) In total more than one million PoS terminals around the world could be
at risk should the attacks prove to have been deeper than the companies are currently publicly admitting
Computing Aug
Dwell TimeResidency
Mandiant reported that attackers on average lurked on a network for 205 days before being discoveredsup1
Microsoft recently reported they place the number at more than 200 days to detect a security breach and 80 days to contain itsup2
1 httpswww2fireeyecomrsfireyeimagesrpt-m-trends-2015pdf2 httpsblogswindowscomwindowsexperience20160301announcing-windows-defender-advanced-threat-protection
Plausible Deniability amp Malware Intrusion
Plausible deniability refers to circumstances where a denial of responsibility or knowledge of wrong doing cannot be proved as true or untrue due to a lack of evidence proving the allegation
It is a basic law for the cheat and the deceiver Be able to offer up an excuse that cannot be disproved easily and that makes sense for the situation
Trickle-down Effects
Increasing rapidity of car-trickle-down yester-yearsrsquo top end car innovations eventually migrate through the models becoming standard options in lower-priced vehicles
This pattern of innovation holds true in virtually every field including cyber- security
Malware as a Service (MaaS) ndash moving from the heavily funded specialist cyber experts down into the mass market
MaaS now commonly available at very low cost through the darknet and sites such TOR I2p
Honeypots amp TokensEvolution Mimicry
Honeypots
Venus Flytrap in Action (triggered honeypot)
Trojan Horse (passive honeypot) Greeks built used to enter the city of Troy and win the 10 year Trojan war - 4th Century story
Cartography A trap street (passive honeypot) is a fictitious entry in the form of a misrepresented street for the purpose of trapping potential copyright violators
Tempting - moneypot
All minehelliphelliphellip
Ooops
Honeypot Principle
Focus on detecting threats Here wersquod like to know immediately someone has broken into the network
and in places they shouldnrsquot be
Ensure the honeypot looks appealing to the attacker The honeypot must look legitimate amp enticing
In this attack scenario the defender has particular advantage Once attackers initially land inside your internal network theyrsquore at a
disadvantage They donrsquot know the lay of the land and they need to explore it (reconnaissance) while remaining hidden
Defence through Deception
Deception is a highly effective solution for protecting environments used to confuse delay and redirect the enemy
Lured to the Canary Honeypot the attacker will be tricked into engaging with that device and believe they are being successful in their attack
Canary ndash Today and Tomorrow
Canary - great for remote sites but what about our VM data centres
What about integration with established enterprise monitoring frameworks such as Openview CA or Microsoft SCOM
Console management limit on the number of deployed Canaries
Are ldquoCanarytokensrdquo part of tomorrowrsquos planning
Identification amp Authorisation
A new way forward
TokensTokens - In general a token is an object that represents something else such as another object (either physical or virtual) or an abstract concept In computer systems there are a number of types of tokens both hardware and software
In human terms a token of trust can exist between two parties with such levels of trust reinforced through personal introductions with other partiesA token generation amp management platform designed specifically for high security multi-services in public and private clouds
greatly enhances trustworthy information handling
Identification with Passwords Any directory service or managementplatform holding passwords becomes atarget by the attacker for credentialsrsquo theft
Passwords are fundamentally flawed Often easy to guess Are reused across different services Are written down or stored or shared Can be intercepted Are expensive to maintain 29 of all cybercrime is from stolen
passwords
Identification WITHOUT Password
The Problem The password has outlived itrsquos usefulness
Secure Cloudlinkrsquos Response Patented and highly secure tokenised message management
solution assures password redundancy User credentials are not transmitted stored or replicated Secure digital services - a snap for the user
Randomised encrypted key generation ndashno consistent key to be stolen
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
Summary
― lsquoCyber threatrsquo is nothing new ndash in our view
― But it is serious
― Target defence in depth
― Staff contractors and suppliers are now your weakest link
― Get back to basics on information governance
― Apply technology solutions intelligently to support amp enable
History quiz
History quiz
Just how successful was it
Not very successful at
all
Perception versus reality
We think we are building thishellip
But we have potentially built thishellip
Case studies ndash poor practices
― October 2015
― Cause Simple (and old) technical exploit (executed by a 15 year-old boy)
― Immediate result 150000 customer records stolen (0ver 15000 full bank details)
― Incidentcrisis management extremely poor― CEO unprepared amp poorly briefed
― Scope of breach massively over-estimated
― Response ill-judged (500000 customers given lsquofree upgradersquo)
― Impacts― REPUTATION ndash Lost 95000 customers in year 1
― FINANCIAL ndash Current financial cost estimated at pound60m
― REGULATORY ndash Formally sanctioned by ICO (Fined 400k)
Case studies ndash insider threat
― December 2014
― Cause Malicious software deployed via lsquophishingrsquo attack used to obtain IDs and passwords
― Politically motivated
― Immediate result 100 terabytes of data stolen (the whole of the ldquocoukrdquo domain is only 68 Tb)
― Data included entire movies financials staff data salary data email records
― Data posted on the internet for download
― Impacts― REPUTATION ndash Deputy CEO forced to resign due to damaging email content
― FINANCIAL ndash Current financial cost estimated at $15m (impact reduced byinsurances and managed legal response)
Case studies ndash third party
― Spring 2014
― Cause Security compromise at third party AirCon and Ventilation contractor ndash access gained to Targetrsquos network
― Immediate result 70m customer records and 40m credit card records harvested across 1797 stores over extended period
― Data downloaded by criminals in Russia
― Impacts― FINANCIAL ndash Current financial cost to Target estimated at $61m (Industry-wide costs estimated at
$200m)
Get back to basics
― Itrsquos not just about the enemy at the gates (ie the perimeter)
― The perimeter is hard to define these days
― We cannot rely solely upon prevention ndash our detection and response capability must improve
We need to take the threat seriously
Get back to basics
― Technology and tools of the highest quality can be undermined by weaknesses in basic security practices
― Or by a flawed corporate culture
― CyberInformation risk is a problem for the entire business to resolve ndash not just IT
― Todayrsquos cyber criminals recognise this and exploit it by adopting a range of approaches which step away from the purely technical and exploit weaknesses in the way that organisations manage control and interact with their information
― A full frontal assault is unlikely to be profitable ndash an attacker will target compromise from the inside And they can be very patient
Get back to basics
Fundamentally addressing the Cyber Threat means going back to basics looking again at your organisation and the controls you already have
― Understanding your people ndash what threats do they pose After all there is no patch for stupidity
― Understanding your organisationrsquos information where it is and how it is used
― Identifying the main risks to physical and information assets
― Ensuring that the right measures are adopted to mitigate risk to within acceptable levels ndash balancing cost versus risk
Get back to basics ndash governance foundations
Unless the foundations of good information and security governance are working well any investment in security technology will most likely be wasted Fundamental areas for focus are
― Staff security training and awareness
― Robust oversight and management of third party suppliers
― Software amp hardware patch management
― Intelligent management amp admin of user access
― Clear policies on security acceptable system use and social media
People Process Tools In that order
Get back to basics ndash making it work
For effective and sustainable governance
― Setting maintaining and continuing to evolve the ldquotone at the toprdquo
― Monitoring of information risk management by the Board of Directors
― Ongoing practical and relevant awareness training
― Independent assurance
― Regular risk-based security testing Inside and outside the perimeter
What happens if a security breach occurs
― If a security breach occurs organisations that follow clearly documented plans to reduce the impact of the breach have a much better chance of staying out of the law courts and avoiding punishment
― Most organisations unfortunately dont have good systems for actually managing the problem If a breach occurs the law is really concerned with your behaviour at that point in time You cant unravel the past and pretend the breach didnt occur its what you do from that point on that will determine your culpability
― On top of having well documented systems and procedures organisations need to have clearly defined actions for dealing with a breach and limiting the damage to those affected This is likely to involve multiple disciplines that could include information security specialists IT resources a PR agency legal advice and credit reporting services
― If you adopt an honourable stance from the outset doing the right thing at the right time then your legal team is in a very strong position to defend you to the regulator arguing that youre not the kind of organisation that has the profile that requires all of the effect of the law and therefore the punishment
How to protect organisations from security breaches
― Take some basic steps to build a protective shieldrdquo most notably― Build a single unified security policy
― Ensure information security forms part of any contract initiation
― Make security part of the process when any project is initiated
― Employee adequacy ndash ensure you have processes for handling new employees changes of job and for employees exiting the company show that they were made aware of security requirements
― Third-party assurance ndash have processes in place to guard information held by third parties
― Culture ndash have a managerial structure in place that demonstrates a chain of responsibility for handling security and reporting errors― lsquoTone at the toprsquo
― Shared ownership of good practices
― Openness amp transparency ndash continuous improvement
State of the Nation ndash addressing Cyber RiskFour golden rules our plan is founded upon
Over 75 of attacks exploit failures to put in place basic controls
Get the basics right
You have to prioritize where you spend your money to defend yourself so build a fortress
around your most critical asset
Look after the crown jewels
Invest in understanding who might attack you why and how so that you can anticipate the most likely scenarios and defend those assets that are
most likely to get attacked
Do your homework on your enemies
Security and resilience can affect nearly every part of an organization Strategies to protect IT
security and business resiliency should align with an organizationrsquos broader goals ndash from protecting intellectual property to maximizing productivity to
finding new ways to delight customers
Treat cyber risk as an opportunity to look closely at your business
Solving the big lsquoBoard reporting problemrsquo in cyberJon Hawes Security Intelligence Strategist Panaseer
Cyber security insuranceGraeme Newman Chief Innovation OfficerCFC
Tackling the insider threatGarath Lauder Director CyberseerTed Plumis Vice President of Channels and Corporate Development Exabeam
Social engineering the art of the conRob Shapland Penetration Testing Team Manager First Base Technologies
Cryptography Basics Dr David Weston Lecturer in Computer Science and Information SystemsBirkbeck University of London
Tokens Honeypots Idenitfication Authorisation Services Ray Dalgarno Director CYBERCAST
Trust with ldquoTHISrdquo
TokensHoneypots
Identification Authorisation ServicesThe Confluence
Agenda
Warfare
Attack Surface Attribution Residency Deniability
Honeypots amp Tokens
Identification and Authorisation
Conclusion
WarfareSecurity through obscurity ndash
the reason the armed forces adopt camouflage
NHS Cyber Attacks ndash The Telegraph 1st Nov 2016
ldquohelliphacking is no longer the stuff of spy thrillers and action movies but a clear and present threathelliprdquo
ldquohellipBen Gummer minister for Cabinet says that large quantities of sensitive data held by the NHS and the Government is being targeted by hackershelliprdquo
ldquohellipMinisters will also unveil a Cyber Security Research Institute a virtual collection of UK universities which will work towards making passwords obsoletehelliprdquo
Cyber Fraud
ldquohellipOnline fraudsters stole pound109bn in the UK last yearhelliprdquo
ldquohellip39 (of respondents) questioned by ldquoGet Safe Onlinerdquo said they were a victim of cybercrime but did not report ithelliprdquo
ldquohellip53 received phishing messageshelliprdquo
Extract from The Telegraph 20th October 2016
Cyber Crime is a War ZoneldquoRouse him and learn the principle of his activity or inactivity Force him to reveal himself so as to find out his vulnerable spotsrdquoldquoIf you know the enemy and know yourself you need not fear the results of a hundred battlesrdquo
- Sun Tzu Military General Strategist amp Philosopher 5th Century BC ChinaDeception is a powerful effective but under utilised tool ndash (at least by defenders)
Full range of ldquoeffectsrdquo on adversaries possible through deception
Effects Attacker Defender
Fail to observe
Prevent the defender from detecting the attack Prevent the attacker from discovering their target
Reveal
Trick the defender into providing access Trick the attacker into revealing their presence
Waste Time
Focus the defenderrsquos attention on the wrong aspects of the incident
Focus the attackerrsquos efforts on the wrong target
Deception Effects - Attacker amp Defender
Operation Mincemeat - 1943
Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
Operation Mincemeat - 1943Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
This was accomplished by persuading the Germans that they had by accident intercepted top secret documents giving details of Allied war plans
Attack Surface Attribution Residency
DeniabilityFrom the living room to the boardroom
Attack Surface
From ordinary consumers to a single-office business through the regulatory bodies to the national and global giants
The environment dictates the approach ndash no ldquoSilver Bulletrdquo
Layered security ndash combining multiple mitigating security controls to cost effectively protect resources amp data
Attack AttributionAt which point in the attack do you realise that you have been hacked
TalkTalk DNC Yahoo
There are very few ldquosmoking gunsrdquo visible
Attacks that often begin with broadly targeted phishing that can introduce amp run new binaries on victims networks amp that connect to random internal hosts using exfiltrated credentials can still remain hidden for a year
Examples of Global IT Vendorsrsquo Vulnerabilities
Microsoft Microsoft August (2016) Patch Tuesday included five updates rated
critical out of a total of nine bringing the number of patches for the year-to-date at 103
SAP There are vulnerabilities in almost every SAP module CRM EP and SRM
are leaders among them ERPScan SAP Cyber Threat Report2016
Oracle MICROS (and others) In total more than one million PoS terminals around the world could be
at risk should the attacks prove to have been deeper than the companies are currently publicly admitting
Computing Aug
Dwell TimeResidency
Mandiant reported that attackers on average lurked on a network for 205 days before being discoveredsup1
Microsoft recently reported they place the number at more than 200 days to detect a security breach and 80 days to contain itsup2
1 httpswww2fireeyecomrsfireyeimagesrpt-m-trends-2015pdf2 httpsblogswindowscomwindowsexperience20160301announcing-windows-defender-advanced-threat-protection
Plausible Deniability amp Malware Intrusion
Plausible deniability refers to circumstances where a denial of responsibility or knowledge of wrong doing cannot be proved as true or untrue due to a lack of evidence proving the allegation
It is a basic law for the cheat and the deceiver Be able to offer up an excuse that cannot be disproved easily and that makes sense for the situation
Trickle-down Effects
Increasing rapidity of car-trickle-down yester-yearsrsquo top end car innovations eventually migrate through the models becoming standard options in lower-priced vehicles
This pattern of innovation holds true in virtually every field including cyber- security
Malware as a Service (MaaS) ndash moving from the heavily funded specialist cyber experts down into the mass market
MaaS now commonly available at very low cost through the darknet and sites such TOR I2p
Honeypots amp TokensEvolution Mimicry
Honeypots
Venus Flytrap in Action (triggered honeypot)
Trojan Horse (passive honeypot) Greeks built used to enter the city of Troy and win the 10 year Trojan war - 4th Century story
Cartography A trap street (passive honeypot) is a fictitious entry in the form of a misrepresented street for the purpose of trapping potential copyright violators
Tempting - moneypot
All minehelliphelliphellip
Ooops
Honeypot Principle
Focus on detecting threats Here wersquod like to know immediately someone has broken into the network
and in places they shouldnrsquot be
Ensure the honeypot looks appealing to the attacker The honeypot must look legitimate amp enticing
In this attack scenario the defender has particular advantage Once attackers initially land inside your internal network theyrsquore at a
disadvantage They donrsquot know the lay of the land and they need to explore it (reconnaissance) while remaining hidden
Defence through Deception
Deception is a highly effective solution for protecting environments used to confuse delay and redirect the enemy
Lured to the Canary Honeypot the attacker will be tricked into engaging with that device and believe they are being successful in their attack
Canary ndash Today and Tomorrow
Canary - great for remote sites but what about our VM data centres
What about integration with established enterprise monitoring frameworks such as Openview CA or Microsoft SCOM
Console management limit on the number of deployed Canaries
Are ldquoCanarytokensrdquo part of tomorrowrsquos planning
Identification amp Authorisation
A new way forward
TokensTokens - In general a token is an object that represents something else such as another object (either physical or virtual) or an abstract concept In computer systems there are a number of types of tokens both hardware and software
In human terms a token of trust can exist between two parties with such levels of trust reinforced through personal introductions with other partiesA token generation amp management platform designed specifically for high security multi-services in public and private clouds
greatly enhances trustworthy information handling
Identification with Passwords Any directory service or managementplatform holding passwords becomes atarget by the attacker for credentialsrsquo theft
Passwords are fundamentally flawed Often easy to guess Are reused across different services Are written down or stored or shared Can be intercepted Are expensive to maintain 29 of all cybercrime is from stolen
passwords
Identification WITHOUT Password
The Problem The password has outlived itrsquos usefulness
Secure Cloudlinkrsquos Response Patented and highly secure tokenised message management
solution assures password redundancy User credentials are not transmitted stored or replicated Secure digital services - a snap for the user
Randomised encrypted key generation ndashno consistent key to be stolen
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
History quiz
History quiz
Just how successful was it
Not very successful at
all
Perception versus reality
We think we are building thishellip
But we have potentially built thishellip
Case studies ndash poor practices
― October 2015
― Cause Simple (and old) technical exploit (executed by a 15 year-old boy)
― Immediate result 150000 customer records stolen (0ver 15000 full bank details)
― Incidentcrisis management extremely poor― CEO unprepared amp poorly briefed
― Scope of breach massively over-estimated
― Response ill-judged (500000 customers given lsquofree upgradersquo)
― Impacts― REPUTATION ndash Lost 95000 customers in year 1
― FINANCIAL ndash Current financial cost estimated at pound60m
― REGULATORY ndash Formally sanctioned by ICO (Fined 400k)
Case studies ndash insider threat
― December 2014
― Cause Malicious software deployed via lsquophishingrsquo attack used to obtain IDs and passwords
― Politically motivated
― Immediate result 100 terabytes of data stolen (the whole of the ldquocoukrdquo domain is only 68 Tb)
― Data included entire movies financials staff data salary data email records
― Data posted on the internet for download
― Impacts― REPUTATION ndash Deputy CEO forced to resign due to damaging email content
― FINANCIAL ndash Current financial cost estimated at $15m (impact reduced byinsurances and managed legal response)
Case studies ndash third party
― Spring 2014
― Cause Security compromise at third party AirCon and Ventilation contractor ndash access gained to Targetrsquos network
― Immediate result 70m customer records and 40m credit card records harvested across 1797 stores over extended period
― Data downloaded by criminals in Russia
― Impacts― FINANCIAL ndash Current financial cost to Target estimated at $61m (Industry-wide costs estimated at
$200m)
Get back to basics
― Itrsquos not just about the enemy at the gates (ie the perimeter)
― The perimeter is hard to define these days
― We cannot rely solely upon prevention ndash our detection and response capability must improve
We need to take the threat seriously
Get back to basics
― Technology and tools of the highest quality can be undermined by weaknesses in basic security practices
― Or by a flawed corporate culture
― CyberInformation risk is a problem for the entire business to resolve ndash not just IT
― Todayrsquos cyber criminals recognise this and exploit it by adopting a range of approaches which step away from the purely technical and exploit weaknesses in the way that organisations manage control and interact with their information
― A full frontal assault is unlikely to be profitable ndash an attacker will target compromise from the inside And they can be very patient
Get back to basics
Fundamentally addressing the Cyber Threat means going back to basics looking again at your organisation and the controls you already have
― Understanding your people ndash what threats do they pose After all there is no patch for stupidity
― Understanding your organisationrsquos information where it is and how it is used
― Identifying the main risks to physical and information assets
― Ensuring that the right measures are adopted to mitigate risk to within acceptable levels ndash balancing cost versus risk
Get back to basics ndash governance foundations
Unless the foundations of good information and security governance are working well any investment in security technology will most likely be wasted Fundamental areas for focus are
― Staff security training and awareness
― Robust oversight and management of third party suppliers
― Software amp hardware patch management
― Intelligent management amp admin of user access
― Clear policies on security acceptable system use and social media
People Process Tools In that order
Get back to basics ndash making it work
For effective and sustainable governance
― Setting maintaining and continuing to evolve the ldquotone at the toprdquo
― Monitoring of information risk management by the Board of Directors
― Ongoing practical and relevant awareness training
― Independent assurance
― Regular risk-based security testing Inside and outside the perimeter
What happens if a security breach occurs
― If a security breach occurs organisations that follow clearly documented plans to reduce the impact of the breach have a much better chance of staying out of the law courts and avoiding punishment
― Most organisations unfortunately dont have good systems for actually managing the problem If a breach occurs the law is really concerned with your behaviour at that point in time You cant unravel the past and pretend the breach didnt occur its what you do from that point on that will determine your culpability
― On top of having well documented systems and procedures organisations need to have clearly defined actions for dealing with a breach and limiting the damage to those affected This is likely to involve multiple disciplines that could include information security specialists IT resources a PR agency legal advice and credit reporting services
― If you adopt an honourable stance from the outset doing the right thing at the right time then your legal team is in a very strong position to defend you to the regulator arguing that youre not the kind of organisation that has the profile that requires all of the effect of the law and therefore the punishment
How to protect organisations from security breaches
― Take some basic steps to build a protective shieldrdquo most notably― Build a single unified security policy
― Ensure information security forms part of any contract initiation
― Make security part of the process when any project is initiated
― Employee adequacy ndash ensure you have processes for handling new employees changes of job and for employees exiting the company show that they were made aware of security requirements
― Third-party assurance ndash have processes in place to guard information held by third parties
― Culture ndash have a managerial structure in place that demonstrates a chain of responsibility for handling security and reporting errors― lsquoTone at the toprsquo
― Shared ownership of good practices
― Openness amp transparency ndash continuous improvement
State of the Nation ndash addressing Cyber RiskFour golden rules our plan is founded upon
Over 75 of attacks exploit failures to put in place basic controls
Get the basics right
You have to prioritize where you spend your money to defend yourself so build a fortress
around your most critical asset
Look after the crown jewels
Invest in understanding who might attack you why and how so that you can anticipate the most likely scenarios and defend those assets that are
most likely to get attacked
Do your homework on your enemies
Security and resilience can affect nearly every part of an organization Strategies to protect IT
security and business resiliency should align with an organizationrsquos broader goals ndash from protecting intellectual property to maximizing productivity to
finding new ways to delight customers
Treat cyber risk as an opportunity to look closely at your business
Solving the big lsquoBoard reporting problemrsquo in cyberJon Hawes Security Intelligence Strategist Panaseer
Cyber security insuranceGraeme Newman Chief Innovation OfficerCFC
Tackling the insider threatGarath Lauder Director CyberseerTed Plumis Vice President of Channels and Corporate Development Exabeam
Social engineering the art of the conRob Shapland Penetration Testing Team Manager First Base Technologies
Cryptography Basics Dr David Weston Lecturer in Computer Science and Information SystemsBirkbeck University of London
Tokens Honeypots Idenitfication Authorisation Services Ray Dalgarno Director CYBERCAST
Trust with ldquoTHISrdquo
TokensHoneypots
Identification Authorisation ServicesThe Confluence
Agenda
Warfare
Attack Surface Attribution Residency Deniability
Honeypots amp Tokens
Identification and Authorisation
Conclusion
WarfareSecurity through obscurity ndash
the reason the armed forces adopt camouflage
NHS Cyber Attacks ndash The Telegraph 1st Nov 2016
ldquohelliphacking is no longer the stuff of spy thrillers and action movies but a clear and present threathelliprdquo
ldquohellipBen Gummer minister for Cabinet says that large quantities of sensitive data held by the NHS and the Government is being targeted by hackershelliprdquo
ldquohellipMinisters will also unveil a Cyber Security Research Institute a virtual collection of UK universities which will work towards making passwords obsoletehelliprdquo
Cyber Fraud
ldquohellipOnline fraudsters stole pound109bn in the UK last yearhelliprdquo
ldquohellip39 (of respondents) questioned by ldquoGet Safe Onlinerdquo said they were a victim of cybercrime but did not report ithelliprdquo
ldquohellip53 received phishing messageshelliprdquo
Extract from The Telegraph 20th October 2016
Cyber Crime is a War ZoneldquoRouse him and learn the principle of his activity or inactivity Force him to reveal himself so as to find out his vulnerable spotsrdquoldquoIf you know the enemy and know yourself you need not fear the results of a hundred battlesrdquo
- Sun Tzu Military General Strategist amp Philosopher 5th Century BC ChinaDeception is a powerful effective but under utilised tool ndash (at least by defenders)
Full range of ldquoeffectsrdquo on adversaries possible through deception
Effects Attacker Defender
Fail to observe
Prevent the defender from detecting the attack Prevent the attacker from discovering their target
Reveal
Trick the defender into providing access Trick the attacker into revealing their presence
Waste Time
Focus the defenderrsquos attention on the wrong aspects of the incident
Focus the attackerrsquos efforts on the wrong target
Deception Effects - Attacker amp Defender
Operation Mincemeat - 1943
Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
Operation Mincemeat - 1943Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
This was accomplished by persuading the Germans that they had by accident intercepted top secret documents giving details of Allied war plans
Attack Surface Attribution Residency
DeniabilityFrom the living room to the boardroom
Attack Surface
From ordinary consumers to a single-office business through the regulatory bodies to the national and global giants
The environment dictates the approach ndash no ldquoSilver Bulletrdquo
Layered security ndash combining multiple mitigating security controls to cost effectively protect resources amp data
Attack AttributionAt which point in the attack do you realise that you have been hacked
TalkTalk DNC Yahoo
There are very few ldquosmoking gunsrdquo visible
Attacks that often begin with broadly targeted phishing that can introduce amp run new binaries on victims networks amp that connect to random internal hosts using exfiltrated credentials can still remain hidden for a year
Examples of Global IT Vendorsrsquo Vulnerabilities
Microsoft Microsoft August (2016) Patch Tuesday included five updates rated
critical out of a total of nine bringing the number of patches for the year-to-date at 103
SAP There are vulnerabilities in almost every SAP module CRM EP and SRM
are leaders among them ERPScan SAP Cyber Threat Report2016
Oracle MICROS (and others) In total more than one million PoS terminals around the world could be
at risk should the attacks prove to have been deeper than the companies are currently publicly admitting
Computing Aug
Dwell TimeResidency
Mandiant reported that attackers on average lurked on a network for 205 days before being discoveredsup1
Microsoft recently reported they place the number at more than 200 days to detect a security breach and 80 days to contain itsup2
1 httpswww2fireeyecomrsfireyeimagesrpt-m-trends-2015pdf2 httpsblogswindowscomwindowsexperience20160301announcing-windows-defender-advanced-threat-protection
Plausible Deniability amp Malware Intrusion
Plausible deniability refers to circumstances where a denial of responsibility or knowledge of wrong doing cannot be proved as true or untrue due to a lack of evidence proving the allegation
It is a basic law for the cheat and the deceiver Be able to offer up an excuse that cannot be disproved easily and that makes sense for the situation
Trickle-down Effects
Increasing rapidity of car-trickle-down yester-yearsrsquo top end car innovations eventually migrate through the models becoming standard options in lower-priced vehicles
This pattern of innovation holds true in virtually every field including cyber- security
Malware as a Service (MaaS) ndash moving from the heavily funded specialist cyber experts down into the mass market
MaaS now commonly available at very low cost through the darknet and sites such TOR I2p
Honeypots amp TokensEvolution Mimicry
Honeypots
Venus Flytrap in Action (triggered honeypot)
Trojan Horse (passive honeypot) Greeks built used to enter the city of Troy and win the 10 year Trojan war - 4th Century story
Cartography A trap street (passive honeypot) is a fictitious entry in the form of a misrepresented street for the purpose of trapping potential copyright violators
Tempting - moneypot
All minehelliphelliphellip
Ooops
Honeypot Principle
Focus on detecting threats Here wersquod like to know immediately someone has broken into the network
and in places they shouldnrsquot be
Ensure the honeypot looks appealing to the attacker The honeypot must look legitimate amp enticing
In this attack scenario the defender has particular advantage Once attackers initially land inside your internal network theyrsquore at a
disadvantage They donrsquot know the lay of the land and they need to explore it (reconnaissance) while remaining hidden
Defence through Deception
Deception is a highly effective solution for protecting environments used to confuse delay and redirect the enemy
Lured to the Canary Honeypot the attacker will be tricked into engaging with that device and believe they are being successful in their attack
Canary ndash Today and Tomorrow
Canary - great for remote sites but what about our VM data centres
What about integration with established enterprise monitoring frameworks such as Openview CA or Microsoft SCOM
Console management limit on the number of deployed Canaries
Are ldquoCanarytokensrdquo part of tomorrowrsquos planning
Identification amp Authorisation
A new way forward
TokensTokens - In general a token is an object that represents something else such as another object (either physical or virtual) or an abstract concept In computer systems there are a number of types of tokens both hardware and software
In human terms a token of trust can exist between two parties with such levels of trust reinforced through personal introductions with other partiesA token generation amp management platform designed specifically for high security multi-services in public and private clouds
greatly enhances trustworthy information handling
Identification with Passwords Any directory service or managementplatform holding passwords becomes atarget by the attacker for credentialsrsquo theft
Passwords are fundamentally flawed Often easy to guess Are reused across different services Are written down or stored or shared Can be intercepted Are expensive to maintain 29 of all cybercrime is from stolen
passwords
Identification WITHOUT Password
The Problem The password has outlived itrsquos usefulness
Secure Cloudlinkrsquos Response Patented and highly secure tokenised message management
solution assures password redundancy User credentials are not transmitted stored or replicated Secure digital services - a snap for the user
Randomised encrypted key generation ndashno consistent key to be stolen
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
History quiz
Just how successful was it
Not very successful at
all
Perception versus reality
We think we are building thishellip
But we have potentially built thishellip
Case studies ndash poor practices
― October 2015
― Cause Simple (and old) technical exploit (executed by a 15 year-old boy)
― Immediate result 150000 customer records stolen (0ver 15000 full bank details)
― Incidentcrisis management extremely poor― CEO unprepared amp poorly briefed
― Scope of breach massively over-estimated
― Response ill-judged (500000 customers given lsquofree upgradersquo)
― Impacts― REPUTATION ndash Lost 95000 customers in year 1
― FINANCIAL ndash Current financial cost estimated at pound60m
― REGULATORY ndash Formally sanctioned by ICO (Fined 400k)
Case studies ndash insider threat
― December 2014
― Cause Malicious software deployed via lsquophishingrsquo attack used to obtain IDs and passwords
― Politically motivated
― Immediate result 100 terabytes of data stolen (the whole of the ldquocoukrdquo domain is only 68 Tb)
― Data included entire movies financials staff data salary data email records
― Data posted on the internet for download
― Impacts― REPUTATION ndash Deputy CEO forced to resign due to damaging email content
― FINANCIAL ndash Current financial cost estimated at $15m (impact reduced byinsurances and managed legal response)
Case studies ndash third party
― Spring 2014
― Cause Security compromise at third party AirCon and Ventilation contractor ndash access gained to Targetrsquos network
― Immediate result 70m customer records and 40m credit card records harvested across 1797 stores over extended period
― Data downloaded by criminals in Russia
― Impacts― FINANCIAL ndash Current financial cost to Target estimated at $61m (Industry-wide costs estimated at
$200m)
Get back to basics
― Itrsquos not just about the enemy at the gates (ie the perimeter)
― The perimeter is hard to define these days
― We cannot rely solely upon prevention ndash our detection and response capability must improve
We need to take the threat seriously
Get back to basics
― Technology and tools of the highest quality can be undermined by weaknesses in basic security practices
― Or by a flawed corporate culture
― CyberInformation risk is a problem for the entire business to resolve ndash not just IT
― Todayrsquos cyber criminals recognise this and exploit it by adopting a range of approaches which step away from the purely technical and exploit weaknesses in the way that organisations manage control and interact with their information
― A full frontal assault is unlikely to be profitable ndash an attacker will target compromise from the inside And they can be very patient
Get back to basics
Fundamentally addressing the Cyber Threat means going back to basics looking again at your organisation and the controls you already have
― Understanding your people ndash what threats do they pose After all there is no patch for stupidity
― Understanding your organisationrsquos information where it is and how it is used
― Identifying the main risks to physical and information assets
― Ensuring that the right measures are adopted to mitigate risk to within acceptable levels ndash balancing cost versus risk
Get back to basics ndash governance foundations
Unless the foundations of good information and security governance are working well any investment in security technology will most likely be wasted Fundamental areas for focus are
― Staff security training and awareness
― Robust oversight and management of third party suppliers
― Software amp hardware patch management
― Intelligent management amp admin of user access
― Clear policies on security acceptable system use and social media
People Process Tools In that order
Get back to basics ndash making it work
For effective and sustainable governance
― Setting maintaining and continuing to evolve the ldquotone at the toprdquo
― Monitoring of information risk management by the Board of Directors
― Ongoing practical and relevant awareness training
― Independent assurance
― Regular risk-based security testing Inside and outside the perimeter
What happens if a security breach occurs
― If a security breach occurs organisations that follow clearly documented plans to reduce the impact of the breach have a much better chance of staying out of the law courts and avoiding punishment
― Most organisations unfortunately dont have good systems for actually managing the problem If a breach occurs the law is really concerned with your behaviour at that point in time You cant unravel the past and pretend the breach didnt occur its what you do from that point on that will determine your culpability
― On top of having well documented systems and procedures organisations need to have clearly defined actions for dealing with a breach and limiting the damage to those affected This is likely to involve multiple disciplines that could include information security specialists IT resources a PR agency legal advice and credit reporting services
― If you adopt an honourable stance from the outset doing the right thing at the right time then your legal team is in a very strong position to defend you to the regulator arguing that youre not the kind of organisation that has the profile that requires all of the effect of the law and therefore the punishment
How to protect organisations from security breaches
― Take some basic steps to build a protective shieldrdquo most notably― Build a single unified security policy
― Ensure information security forms part of any contract initiation
― Make security part of the process when any project is initiated
― Employee adequacy ndash ensure you have processes for handling new employees changes of job and for employees exiting the company show that they were made aware of security requirements
― Third-party assurance ndash have processes in place to guard information held by third parties
― Culture ndash have a managerial structure in place that demonstrates a chain of responsibility for handling security and reporting errors― lsquoTone at the toprsquo
― Shared ownership of good practices
― Openness amp transparency ndash continuous improvement
State of the Nation ndash addressing Cyber RiskFour golden rules our plan is founded upon
Over 75 of attacks exploit failures to put in place basic controls
Get the basics right
You have to prioritize where you spend your money to defend yourself so build a fortress
around your most critical asset
Look after the crown jewels
Invest in understanding who might attack you why and how so that you can anticipate the most likely scenarios and defend those assets that are
most likely to get attacked
Do your homework on your enemies
Security and resilience can affect nearly every part of an organization Strategies to protect IT
security and business resiliency should align with an organizationrsquos broader goals ndash from protecting intellectual property to maximizing productivity to
finding new ways to delight customers
Treat cyber risk as an opportunity to look closely at your business
Solving the big lsquoBoard reporting problemrsquo in cyberJon Hawes Security Intelligence Strategist Panaseer
Cyber security insuranceGraeme Newman Chief Innovation OfficerCFC
Tackling the insider threatGarath Lauder Director CyberseerTed Plumis Vice President of Channels and Corporate Development Exabeam
Social engineering the art of the conRob Shapland Penetration Testing Team Manager First Base Technologies
Cryptography Basics Dr David Weston Lecturer in Computer Science and Information SystemsBirkbeck University of London
Tokens Honeypots Idenitfication Authorisation Services Ray Dalgarno Director CYBERCAST
Trust with ldquoTHISrdquo
TokensHoneypots
Identification Authorisation ServicesThe Confluence
Agenda
Warfare
Attack Surface Attribution Residency Deniability
Honeypots amp Tokens
Identification and Authorisation
Conclusion
WarfareSecurity through obscurity ndash
the reason the armed forces adopt camouflage
NHS Cyber Attacks ndash The Telegraph 1st Nov 2016
ldquohelliphacking is no longer the stuff of spy thrillers and action movies but a clear and present threathelliprdquo
ldquohellipBen Gummer minister for Cabinet says that large quantities of sensitive data held by the NHS and the Government is being targeted by hackershelliprdquo
ldquohellipMinisters will also unveil a Cyber Security Research Institute a virtual collection of UK universities which will work towards making passwords obsoletehelliprdquo
Cyber Fraud
ldquohellipOnline fraudsters stole pound109bn in the UK last yearhelliprdquo
ldquohellip39 (of respondents) questioned by ldquoGet Safe Onlinerdquo said they were a victim of cybercrime but did not report ithelliprdquo
ldquohellip53 received phishing messageshelliprdquo
Extract from The Telegraph 20th October 2016
Cyber Crime is a War ZoneldquoRouse him and learn the principle of his activity or inactivity Force him to reveal himself so as to find out his vulnerable spotsrdquoldquoIf you know the enemy and know yourself you need not fear the results of a hundred battlesrdquo
- Sun Tzu Military General Strategist amp Philosopher 5th Century BC ChinaDeception is a powerful effective but under utilised tool ndash (at least by defenders)
Full range of ldquoeffectsrdquo on adversaries possible through deception
Effects Attacker Defender
Fail to observe
Prevent the defender from detecting the attack Prevent the attacker from discovering their target
Reveal
Trick the defender into providing access Trick the attacker into revealing their presence
Waste Time
Focus the defenderrsquos attention on the wrong aspects of the incident
Focus the attackerrsquos efforts on the wrong target
Deception Effects - Attacker amp Defender
Operation Mincemeat - 1943
Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
Operation Mincemeat - 1943Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
This was accomplished by persuading the Germans that they had by accident intercepted top secret documents giving details of Allied war plans
Attack Surface Attribution Residency
DeniabilityFrom the living room to the boardroom
Attack Surface
From ordinary consumers to a single-office business through the regulatory bodies to the national and global giants
The environment dictates the approach ndash no ldquoSilver Bulletrdquo
Layered security ndash combining multiple mitigating security controls to cost effectively protect resources amp data
Attack AttributionAt which point in the attack do you realise that you have been hacked
TalkTalk DNC Yahoo
There are very few ldquosmoking gunsrdquo visible
Attacks that often begin with broadly targeted phishing that can introduce amp run new binaries on victims networks amp that connect to random internal hosts using exfiltrated credentials can still remain hidden for a year
Examples of Global IT Vendorsrsquo Vulnerabilities
Microsoft Microsoft August (2016) Patch Tuesday included five updates rated
critical out of a total of nine bringing the number of patches for the year-to-date at 103
SAP There are vulnerabilities in almost every SAP module CRM EP and SRM
are leaders among them ERPScan SAP Cyber Threat Report2016
Oracle MICROS (and others) In total more than one million PoS terminals around the world could be
at risk should the attacks prove to have been deeper than the companies are currently publicly admitting
Computing Aug
Dwell TimeResidency
Mandiant reported that attackers on average lurked on a network for 205 days before being discoveredsup1
Microsoft recently reported they place the number at more than 200 days to detect a security breach and 80 days to contain itsup2
1 httpswww2fireeyecomrsfireyeimagesrpt-m-trends-2015pdf2 httpsblogswindowscomwindowsexperience20160301announcing-windows-defender-advanced-threat-protection
Plausible Deniability amp Malware Intrusion
Plausible deniability refers to circumstances where a denial of responsibility or knowledge of wrong doing cannot be proved as true or untrue due to a lack of evidence proving the allegation
It is a basic law for the cheat and the deceiver Be able to offer up an excuse that cannot be disproved easily and that makes sense for the situation
Trickle-down Effects
Increasing rapidity of car-trickle-down yester-yearsrsquo top end car innovations eventually migrate through the models becoming standard options in lower-priced vehicles
This pattern of innovation holds true in virtually every field including cyber- security
Malware as a Service (MaaS) ndash moving from the heavily funded specialist cyber experts down into the mass market
MaaS now commonly available at very low cost through the darknet and sites such TOR I2p
Honeypots amp TokensEvolution Mimicry
Honeypots
Venus Flytrap in Action (triggered honeypot)
Trojan Horse (passive honeypot) Greeks built used to enter the city of Troy and win the 10 year Trojan war - 4th Century story
Cartography A trap street (passive honeypot) is a fictitious entry in the form of a misrepresented street for the purpose of trapping potential copyright violators
Tempting - moneypot
All minehelliphelliphellip
Ooops
Honeypot Principle
Focus on detecting threats Here wersquod like to know immediately someone has broken into the network
and in places they shouldnrsquot be
Ensure the honeypot looks appealing to the attacker The honeypot must look legitimate amp enticing
In this attack scenario the defender has particular advantage Once attackers initially land inside your internal network theyrsquore at a
disadvantage They donrsquot know the lay of the land and they need to explore it (reconnaissance) while remaining hidden
Defence through Deception
Deception is a highly effective solution for protecting environments used to confuse delay and redirect the enemy
Lured to the Canary Honeypot the attacker will be tricked into engaging with that device and believe they are being successful in their attack
Canary ndash Today and Tomorrow
Canary - great for remote sites but what about our VM data centres
What about integration with established enterprise monitoring frameworks such as Openview CA or Microsoft SCOM
Console management limit on the number of deployed Canaries
Are ldquoCanarytokensrdquo part of tomorrowrsquos planning
Identification amp Authorisation
A new way forward
TokensTokens - In general a token is an object that represents something else such as another object (either physical or virtual) or an abstract concept In computer systems there are a number of types of tokens both hardware and software
In human terms a token of trust can exist between two parties with such levels of trust reinforced through personal introductions with other partiesA token generation amp management platform designed specifically for high security multi-services in public and private clouds
greatly enhances trustworthy information handling
Identification with Passwords Any directory service or managementplatform holding passwords becomes atarget by the attacker for credentialsrsquo theft
Passwords are fundamentally flawed Often easy to guess Are reused across different services Are written down or stored or shared Can be intercepted Are expensive to maintain 29 of all cybercrime is from stolen
passwords
Identification WITHOUT Password
The Problem The password has outlived itrsquos usefulness
Secure Cloudlinkrsquos Response Patented and highly secure tokenised message management
solution assures password redundancy User credentials are not transmitted stored or replicated Secure digital services - a snap for the user
Randomised encrypted key generation ndashno consistent key to be stolen
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
Just how successful was it
Not very successful at
all
Perception versus reality
We think we are building thishellip
But we have potentially built thishellip
Case studies ndash poor practices
― October 2015
― Cause Simple (and old) technical exploit (executed by a 15 year-old boy)
― Immediate result 150000 customer records stolen (0ver 15000 full bank details)
― Incidentcrisis management extremely poor― CEO unprepared amp poorly briefed
― Scope of breach massively over-estimated
― Response ill-judged (500000 customers given lsquofree upgradersquo)
― Impacts― REPUTATION ndash Lost 95000 customers in year 1
― FINANCIAL ndash Current financial cost estimated at pound60m
― REGULATORY ndash Formally sanctioned by ICO (Fined 400k)
Case studies ndash insider threat
― December 2014
― Cause Malicious software deployed via lsquophishingrsquo attack used to obtain IDs and passwords
― Politically motivated
― Immediate result 100 terabytes of data stolen (the whole of the ldquocoukrdquo domain is only 68 Tb)
― Data included entire movies financials staff data salary data email records
― Data posted on the internet for download
― Impacts― REPUTATION ndash Deputy CEO forced to resign due to damaging email content
― FINANCIAL ndash Current financial cost estimated at $15m (impact reduced byinsurances and managed legal response)
Case studies ndash third party
― Spring 2014
― Cause Security compromise at third party AirCon and Ventilation contractor ndash access gained to Targetrsquos network
― Immediate result 70m customer records and 40m credit card records harvested across 1797 stores over extended period
― Data downloaded by criminals in Russia
― Impacts― FINANCIAL ndash Current financial cost to Target estimated at $61m (Industry-wide costs estimated at
$200m)
Get back to basics
― Itrsquos not just about the enemy at the gates (ie the perimeter)
― The perimeter is hard to define these days
― We cannot rely solely upon prevention ndash our detection and response capability must improve
We need to take the threat seriously
Get back to basics
― Technology and tools of the highest quality can be undermined by weaknesses in basic security practices
― Or by a flawed corporate culture
― CyberInformation risk is a problem for the entire business to resolve ndash not just IT
― Todayrsquos cyber criminals recognise this and exploit it by adopting a range of approaches which step away from the purely technical and exploit weaknesses in the way that organisations manage control and interact with their information
― A full frontal assault is unlikely to be profitable ndash an attacker will target compromise from the inside And they can be very patient
Get back to basics
Fundamentally addressing the Cyber Threat means going back to basics looking again at your organisation and the controls you already have
― Understanding your people ndash what threats do they pose After all there is no patch for stupidity
― Understanding your organisationrsquos information where it is and how it is used
― Identifying the main risks to physical and information assets
― Ensuring that the right measures are adopted to mitigate risk to within acceptable levels ndash balancing cost versus risk
Get back to basics ndash governance foundations
Unless the foundations of good information and security governance are working well any investment in security technology will most likely be wasted Fundamental areas for focus are
― Staff security training and awareness
― Robust oversight and management of third party suppliers
― Software amp hardware patch management
― Intelligent management amp admin of user access
― Clear policies on security acceptable system use and social media
People Process Tools In that order
Get back to basics ndash making it work
For effective and sustainable governance
― Setting maintaining and continuing to evolve the ldquotone at the toprdquo
― Monitoring of information risk management by the Board of Directors
― Ongoing practical and relevant awareness training
― Independent assurance
― Regular risk-based security testing Inside and outside the perimeter
What happens if a security breach occurs
― If a security breach occurs organisations that follow clearly documented plans to reduce the impact of the breach have a much better chance of staying out of the law courts and avoiding punishment
― Most organisations unfortunately dont have good systems for actually managing the problem If a breach occurs the law is really concerned with your behaviour at that point in time You cant unravel the past and pretend the breach didnt occur its what you do from that point on that will determine your culpability
― On top of having well documented systems and procedures organisations need to have clearly defined actions for dealing with a breach and limiting the damage to those affected This is likely to involve multiple disciplines that could include information security specialists IT resources a PR agency legal advice and credit reporting services
― If you adopt an honourable stance from the outset doing the right thing at the right time then your legal team is in a very strong position to defend you to the regulator arguing that youre not the kind of organisation that has the profile that requires all of the effect of the law and therefore the punishment
How to protect organisations from security breaches
― Take some basic steps to build a protective shieldrdquo most notably― Build a single unified security policy
― Ensure information security forms part of any contract initiation
― Make security part of the process when any project is initiated
― Employee adequacy ndash ensure you have processes for handling new employees changes of job and for employees exiting the company show that they were made aware of security requirements
― Third-party assurance ndash have processes in place to guard information held by third parties
― Culture ndash have a managerial structure in place that demonstrates a chain of responsibility for handling security and reporting errors― lsquoTone at the toprsquo
― Shared ownership of good practices
― Openness amp transparency ndash continuous improvement
State of the Nation ndash addressing Cyber RiskFour golden rules our plan is founded upon
Over 75 of attacks exploit failures to put in place basic controls
Get the basics right
You have to prioritize where you spend your money to defend yourself so build a fortress
around your most critical asset
Look after the crown jewels
Invest in understanding who might attack you why and how so that you can anticipate the most likely scenarios and defend those assets that are
most likely to get attacked
Do your homework on your enemies
Security and resilience can affect nearly every part of an organization Strategies to protect IT
security and business resiliency should align with an organizationrsquos broader goals ndash from protecting intellectual property to maximizing productivity to
finding new ways to delight customers
Treat cyber risk as an opportunity to look closely at your business
Solving the big lsquoBoard reporting problemrsquo in cyberJon Hawes Security Intelligence Strategist Panaseer
Cyber security insuranceGraeme Newman Chief Innovation OfficerCFC
Tackling the insider threatGarath Lauder Director CyberseerTed Plumis Vice President of Channels and Corporate Development Exabeam
Social engineering the art of the conRob Shapland Penetration Testing Team Manager First Base Technologies
Cryptography Basics Dr David Weston Lecturer in Computer Science and Information SystemsBirkbeck University of London
Tokens Honeypots Idenitfication Authorisation Services Ray Dalgarno Director CYBERCAST
Trust with ldquoTHISrdquo
TokensHoneypots
Identification Authorisation ServicesThe Confluence
Agenda
Warfare
Attack Surface Attribution Residency Deniability
Honeypots amp Tokens
Identification and Authorisation
Conclusion
WarfareSecurity through obscurity ndash
the reason the armed forces adopt camouflage
NHS Cyber Attacks ndash The Telegraph 1st Nov 2016
ldquohelliphacking is no longer the stuff of spy thrillers and action movies but a clear and present threathelliprdquo
ldquohellipBen Gummer minister for Cabinet says that large quantities of sensitive data held by the NHS and the Government is being targeted by hackershelliprdquo
ldquohellipMinisters will also unveil a Cyber Security Research Institute a virtual collection of UK universities which will work towards making passwords obsoletehelliprdquo
Cyber Fraud
ldquohellipOnline fraudsters stole pound109bn in the UK last yearhelliprdquo
ldquohellip39 (of respondents) questioned by ldquoGet Safe Onlinerdquo said they were a victim of cybercrime but did not report ithelliprdquo
ldquohellip53 received phishing messageshelliprdquo
Extract from The Telegraph 20th October 2016
Cyber Crime is a War ZoneldquoRouse him and learn the principle of his activity or inactivity Force him to reveal himself so as to find out his vulnerable spotsrdquoldquoIf you know the enemy and know yourself you need not fear the results of a hundred battlesrdquo
- Sun Tzu Military General Strategist amp Philosopher 5th Century BC ChinaDeception is a powerful effective but under utilised tool ndash (at least by defenders)
Full range of ldquoeffectsrdquo on adversaries possible through deception
Effects Attacker Defender
Fail to observe
Prevent the defender from detecting the attack Prevent the attacker from discovering their target
Reveal
Trick the defender into providing access Trick the attacker into revealing their presence
Waste Time
Focus the defenderrsquos attention on the wrong aspects of the incident
Focus the attackerrsquos efforts on the wrong target
Deception Effects - Attacker amp Defender
Operation Mincemeat - 1943
Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
Operation Mincemeat - 1943Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
This was accomplished by persuading the Germans that they had by accident intercepted top secret documents giving details of Allied war plans
Attack Surface Attribution Residency
DeniabilityFrom the living room to the boardroom
Attack Surface
From ordinary consumers to a single-office business through the regulatory bodies to the national and global giants
The environment dictates the approach ndash no ldquoSilver Bulletrdquo
Layered security ndash combining multiple mitigating security controls to cost effectively protect resources amp data
Attack AttributionAt which point in the attack do you realise that you have been hacked
TalkTalk DNC Yahoo
There are very few ldquosmoking gunsrdquo visible
Attacks that often begin with broadly targeted phishing that can introduce amp run new binaries on victims networks amp that connect to random internal hosts using exfiltrated credentials can still remain hidden for a year
Examples of Global IT Vendorsrsquo Vulnerabilities
Microsoft Microsoft August (2016) Patch Tuesday included five updates rated
critical out of a total of nine bringing the number of patches for the year-to-date at 103
SAP There are vulnerabilities in almost every SAP module CRM EP and SRM
are leaders among them ERPScan SAP Cyber Threat Report2016
Oracle MICROS (and others) In total more than one million PoS terminals around the world could be
at risk should the attacks prove to have been deeper than the companies are currently publicly admitting
Computing Aug
Dwell TimeResidency
Mandiant reported that attackers on average lurked on a network for 205 days before being discoveredsup1
Microsoft recently reported they place the number at more than 200 days to detect a security breach and 80 days to contain itsup2
1 httpswww2fireeyecomrsfireyeimagesrpt-m-trends-2015pdf2 httpsblogswindowscomwindowsexperience20160301announcing-windows-defender-advanced-threat-protection
Plausible Deniability amp Malware Intrusion
Plausible deniability refers to circumstances where a denial of responsibility or knowledge of wrong doing cannot be proved as true or untrue due to a lack of evidence proving the allegation
It is a basic law for the cheat and the deceiver Be able to offer up an excuse that cannot be disproved easily and that makes sense for the situation
Trickle-down Effects
Increasing rapidity of car-trickle-down yester-yearsrsquo top end car innovations eventually migrate through the models becoming standard options in lower-priced vehicles
This pattern of innovation holds true in virtually every field including cyber- security
Malware as a Service (MaaS) ndash moving from the heavily funded specialist cyber experts down into the mass market
MaaS now commonly available at very low cost through the darknet and sites such TOR I2p
Honeypots amp TokensEvolution Mimicry
Honeypots
Venus Flytrap in Action (triggered honeypot)
Trojan Horse (passive honeypot) Greeks built used to enter the city of Troy and win the 10 year Trojan war - 4th Century story
Cartography A trap street (passive honeypot) is a fictitious entry in the form of a misrepresented street for the purpose of trapping potential copyright violators
Tempting - moneypot
All minehelliphelliphellip
Ooops
Honeypot Principle
Focus on detecting threats Here wersquod like to know immediately someone has broken into the network
and in places they shouldnrsquot be
Ensure the honeypot looks appealing to the attacker The honeypot must look legitimate amp enticing
In this attack scenario the defender has particular advantage Once attackers initially land inside your internal network theyrsquore at a
disadvantage They donrsquot know the lay of the land and they need to explore it (reconnaissance) while remaining hidden
Defence through Deception
Deception is a highly effective solution for protecting environments used to confuse delay and redirect the enemy
Lured to the Canary Honeypot the attacker will be tricked into engaging with that device and believe they are being successful in their attack
Canary ndash Today and Tomorrow
Canary - great for remote sites but what about our VM data centres
What about integration with established enterprise monitoring frameworks such as Openview CA or Microsoft SCOM
Console management limit on the number of deployed Canaries
Are ldquoCanarytokensrdquo part of tomorrowrsquos planning
Identification amp Authorisation
A new way forward
TokensTokens - In general a token is an object that represents something else such as another object (either physical or virtual) or an abstract concept In computer systems there are a number of types of tokens both hardware and software
In human terms a token of trust can exist between two parties with such levels of trust reinforced through personal introductions with other partiesA token generation amp management platform designed specifically for high security multi-services in public and private clouds
greatly enhances trustworthy information handling
Identification with Passwords Any directory service or managementplatform holding passwords becomes atarget by the attacker for credentialsrsquo theft
Passwords are fundamentally flawed Often easy to guess Are reused across different services Are written down or stored or shared Can be intercepted Are expensive to maintain 29 of all cybercrime is from stolen
passwords
Identification WITHOUT Password
The Problem The password has outlived itrsquos usefulness
Secure Cloudlinkrsquos Response Patented and highly secure tokenised message management
solution assures password redundancy User credentials are not transmitted stored or replicated Secure digital services - a snap for the user
Randomised encrypted key generation ndashno consistent key to be stolen
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
Perception versus reality
We think we are building thishellip
But we have potentially built thishellip
Case studies ndash poor practices
― October 2015
― Cause Simple (and old) technical exploit (executed by a 15 year-old boy)
― Immediate result 150000 customer records stolen (0ver 15000 full bank details)
― Incidentcrisis management extremely poor― CEO unprepared amp poorly briefed
― Scope of breach massively over-estimated
― Response ill-judged (500000 customers given lsquofree upgradersquo)
― Impacts― REPUTATION ndash Lost 95000 customers in year 1
― FINANCIAL ndash Current financial cost estimated at pound60m
― REGULATORY ndash Formally sanctioned by ICO (Fined 400k)
Case studies ndash insider threat
― December 2014
― Cause Malicious software deployed via lsquophishingrsquo attack used to obtain IDs and passwords
― Politically motivated
― Immediate result 100 terabytes of data stolen (the whole of the ldquocoukrdquo domain is only 68 Tb)
― Data included entire movies financials staff data salary data email records
― Data posted on the internet for download
― Impacts― REPUTATION ndash Deputy CEO forced to resign due to damaging email content
― FINANCIAL ndash Current financial cost estimated at $15m (impact reduced byinsurances and managed legal response)
Case studies ndash third party
― Spring 2014
― Cause Security compromise at third party AirCon and Ventilation contractor ndash access gained to Targetrsquos network
― Immediate result 70m customer records and 40m credit card records harvested across 1797 stores over extended period
― Data downloaded by criminals in Russia
― Impacts― FINANCIAL ndash Current financial cost to Target estimated at $61m (Industry-wide costs estimated at
$200m)
Get back to basics
― Itrsquos not just about the enemy at the gates (ie the perimeter)
― The perimeter is hard to define these days
― We cannot rely solely upon prevention ndash our detection and response capability must improve
We need to take the threat seriously
Get back to basics
― Technology and tools of the highest quality can be undermined by weaknesses in basic security practices
― Or by a flawed corporate culture
― CyberInformation risk is a problem for the entire business to resolve ndash not just IT
― Todayrsquos cyber criminals recognise this and exploit it by adopting a range of approaches which step away from the purely technical and exploit weaknesses in the way that organisations manage control and interact with their information
― A full frontal assault is unlikely to be profitable ndash an attacker will target compromise from the inside And they can be very patient
Get back to basics
Fundamentally addressing the Cyber Threat means going back to basics looking again at your organisation and the controls you already have
― Understanding your people ndash what threats do they pose After all there is no patch for stupidity
― Understanding your organisationrsquos information where it is and how it is used
― Identifying the main risks to physical and information assets
― Ensuring that the right measures are adopted to mitigate risk to within acceptable levels ndash balancing cost versus risk
Get back to basics ndash governance foundations
Unless the foundations of good information and security governance are working well any investment in security technology will most likely be wasted Fundamental areas for focus are
― Staff security training and awareness
― Robust oversight and management of third party suppliers
― Software amp hardware patch management
― Intelligent management amp admin of user access
― Clear policies on security acceptable system use and social media
People Process Tools In that order
Get back to basics ndash making it work
For effective and sustainable governance
― Setting maintaining and continuing to evolve the ldquotone at the toprdquo
― Monitoring of information risk management by the Board of Directors
― Ongoing practical and relevant awareness training
― Independent assurance
― Regular risk-based security testing Inside and outside the perimeter
What happens if a security breach occurs
― If a security breach occurs organisations that follow clearly documented plans to reduce the impact of the breach have a much better chance of staying out of the law courts and avoiding punishment
― Most organisations unfortunately dont have good systems for actually managing the problem If a breach occurs the law is really concerned with your behaviour at that point in time You cant unravel the past and pretend the breach didnt occur its what you do from that point on that will determine your culpability
― On top of having well documented systems and procedures organisations need to have clearly defined actions for dealing with a breach and limiting the damage to those affected This is likely to involve multiple disciplines that could include information security specialists IT resources a PR agency legal advice and credit reporting services
― If you adopt an honourable stance from the outset doing the right thing at the right time then your legal team is in a very strong position to defend you to the regulator arguing that youre not the kind of organisation that has the profile that requires all of the effect of the law and therefore the punishment
How to protect organisations from security breaches
― Take some basic steps to build a protective shieldrdquo most notably― Build a single unified security policy
― Ensure information security forms part of any contract initiation
― Make security part of the process when any project is initiated
― Employee adequacy ndash ensure you have processes for handling new employees changes of job and for employees exiting the company show that they were made aware of security requirements
― Third-party assurance ndash have processes in place to guard information held by third parties
― Culture ndash have a managerial structure in place that demonstrates a chain of responsibility for handling security and reporting errors― lsquoTone at the toprsquo
― Shared ownership of good practices
― Openness amp transparency ndash continuous improvement
State of the Nation ndash addressing Cyber RiskFour golden rules our plan is founded upon
Over 75 of attacks exploit failures to put in place basic controls
Get the basics right
You have to prioritize where you spend your money to defend yourself so build a fortress
around your most critical asset
Look after the crown jewels
Invest in understanding who might attack you why and how so that you can anticipate the most likely scenarios and defend those assets that are
most likely to get attacked
Do your homework on your enemies
Security and resilience can affect nearly every part of an organization Strategies to protect IT
security and business resiliency should align with an organizationrsquos broader goals ndash from protecting intellectual property to maximizing productivity to
finding new ways to delight customers
Treat cyber risk as an opportunity to look closely at your business
Solving the big lsquoBoard reporting problemrsquo in cyberJon Hawes Security Intelligence Strategist Panaseer
Cyber security insuranceGraeme Newman Chief Innovation OfficerCFC
Tackling the insider threatGarath Lauder Director CyberseerTed Plumis Vice President of Channels and Corporate Development Exabeam
Social engineering the art of the conRob Shapland Penetration Testing Team Manager First Base Technologies
Cryptography Basics Dr David Weston Lecturer in Computer Science and Information SystemsBirkbeck University of London
Tokens Honeypots Idenitfication Authorisation Services Ray Dalgarno Director CYBERCAST
Trust with ldquoTHISrdquo
TokensHoneypots
Identification Authorisation ServicesThe Confluence
Agenda
Warfare
Attack Surface Attribution Residency Deniability
Honeypots amp Tokens
Identification and Authorisation
Conclusion
WarfareSecurity through obscurity ndash
the reason the armed forces adopt camouflage
NHS Cyber Attacks ndash The Telegraph 1st Nov 2016
ldquohelliphacking is no longer the stuff of spy thrillers and action movies but a clear and present threathelliprdquo
ldquohellipBen Gummer minister for Cabinet says that large quantities of sensitive data held by the NHS and the Government is being targeted by hackershelliprdquo
ldquohellipMinisters will also unveil a Cyber Security Research Institute a virtual collection of UK universities which will work towards making passwords obsoletehelliprdquo
Cyber Fraud
ldquohellipOnline fraudsters stole pound109bn in the UK last yearhelliprdquo
ldquohellip39 (of respondents) questioned by ldquoGet Safe Onlinerdquo said they were a victim of cybercrime but did not report ithelliprdquo
ldquohellip53 received phishing messageshelliprdquo
Extract from The Telegraph 20th October 2016
Cyber Crime is a War ZoneldquoRouse him and learn the principle of his activity or inactivity Force him to reveal himself so as to find out his vulnerable spotsrdquoldquoIf you know the enemy and know yourself you need not fear the results of a hundred battlesrdquo
- Sun Tzu Military General Strategist amp Philosopher 5th Century BC ChinaDeception is a powerful effective but under utilised tool ndash (at least by defenders)
Full range of ldquoeffectsrdquo on adversaries possible through deception
Effects Attacker Defender
Fail to observe
Prevent the defender from detecting the attack Prevent the attacker from discovering their target
Reveal
Trick the defender into providing access Trick the attacker into revealing their presence
Waste Time
Focus the defenderrsquos attention on the wrong aspects of the incident
Focus the attackerrsquos efforts on the wrong target
Deception Effects - Attacker amp Defender
Operation Mincemeat - 1943
Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
Operation Mincemeat - 1943Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
This was accomplished by persuading the Germans that they had by accident intercepted top secret documents giving details of Allied war plans
Attack Surface Attribution Residency
DeniabilityFrom the living room to the boardroom
Attack Surface
From ordinary consumers to a single-office business through the regulatory bodies to the national and global giants
The environment dictates the approach ndash no ldquoSilver Bulletrdquo
Layered security ndash combining multiple mitigating security controls to cost effectively protect resources amp data
Attack AttributionAt which point in the attack do you realise that you have been hacked
TalkTalk DNC Yahoo
There are very few ldquosmoking gunsrdquo visible
Attacks that often begin with broadly targeted phishing that can introduce amp run new binaries on victims networks amp that connect to random internal hosts using exfiltrated credentials can still remain hidden for a year
Examples of Global IT Vendorsrsquo Vulnerabilities
Microsoft Microsoft August (2016) Patch Tuesday included five updates rated
critical out of a total of nine bringing the number of patches for the year-to-date at 103
SAP There are vulnerabilities in almost every SAP module CRM EP and SRM
are leaders among them ERPScan SAP Cyber Threat Report2016
Oracle MICROS (and others) In total more than one million PoS terminals around the world could be
at risk should the attacks prove to have been deeper than the companies are currently publicly admitting
Computing Aug
Dwell TimeResidency
Mandiant reported that attackers on average lurked on a network for 205 days before being discoveredsup1
Microsoft recently reported they place the number at more than 200 days to detect a security breach and 80 days to contain itsup2
1 httpswww2fireeyecomrsfireyeimagesrpt-m-trends-2015pdf2 httpsblogswindowscomwindowsexperience20160301announcing-windows-defender-advanced-threat-protection
Plausible Deniability amp Malware Intrusion
Plausible deniability refers to circumstances where a denial of responsibility or knowledge of wrong doing cannot be proved as true or untrue due to a lack of evidence proving the allegation
It is a basic law for the cheat and the deceiver Be able to offer up an excuse that cannot be disproved easily and that makes sense for the situation
Trickle-down Effects
Increasing rapidity of car-trickle-down yester-yearsrsquo top end car innovations eventually migrate through the models becoming standard options in lower-priced vehicles
This pattern of innovation holds true in virtually every field including cyber- security
Malware as a Service (MaaS) ndash moving from the heavily funded specialist cyber experts down into the mass market
MaaS now commonly available at very low cost through the darknet and sites such TOR I2p
Honeypots amp TokensEvolution Mimicry
Honeypots
Venus Flytrap in Action (triggered honeypot)
Trojan Horse (passive honeypot) Greeks built used to enter the city of Troy and win the 10 year Trojan war - 4th Century story
Cartography A trap street (passive honeypot) is a fictitious entry in the form of a misrepresented street for the purpose of trapping potential copyright violators
Tempting - moneypot
All minehelliphelliphellip
Ooops
Honeypot Principle
Focus on detecting threats Here wersquod like to know immediately someone has broken into the network
and in places they shouldnrsquot be
Ensure the honeypot looks appealing to the attacker The honeypot must look legitimate amp enticing
In this attack scenario the defender has particular advantage Once attackers initially land inside your internal network theyrsquore at a
disadvantage They donrsquot know the lay of the land and they need to explore it (reconnaissance) while remaining hidden
Defence through Deception
Deception is a highly effective solution for protecting environments used to confuse delay and redirect the enemy
Lured to the Canary Honeypot the attacker will be tricked into engaging with that device and believe they are being successful in their attack
Canary ndash Today and Tomorrow
Canary - great for remote sites but what about our VM data centres
What about integration with established enterprise monitoring frameworks such as Openview CA or Microsoft SCOM
Console management limit on the number of deployed Canaries
Are ldquoCanarytokensrdquo part of tomorrowrsquos planning
Identification amp Authorisation
A new way forward
TokensTokens - In general a token is an object that represents something else such as another object (either physical or virtual) or an abstract concept In computer systems there are a number of types of tokens both hardware and software
In human terms a token of trust can exist between two parties with such levels of trust reinforced through personal introductions with other partiesA token generation amp management platform designed specifically for high security multi-services in public and private clouds
greatly enhances trustworthy information handling
Identification with Passwords Any directory service or managementplatform holding passwords becomes atarget by the attacker for credentialsrsquo theft
Passwords are fundamentally flawed Often easy to guess Are reused across different services Are written down or stored or shared Can be intercepted Are expensive to maintain 29 of all cybercrime is from stolen
passwords
Identification WITHOUT Password
The Problem The password has outlived itrsquos usefulness
Secure Cloudlinkrsquos Response Patented and highly secure tokenised message management
solution assures password redundancy User credentials are not transmitted stored or replicated Secure digital services - a snap for the user
Randomised encrypted key generation ndashno consistent key to be stolen
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
Case studies ndash poor practices
― October 2015
― Cause Simple (and old) technical exploit (executed by a 15 year-old boy)
― Immediate result 150000 customer records stolen (0ver 15000 full bank details)
― Incidentcrisis management extremely poor― CEO unprepared amp poorly briefed
― Scope of breach massively over-estimated
― Response ill-judged (500000 customers given lsquofree upgradersquo)
― Impacts― REPUTATION ndash Lost 95000 customers in year 1
― FINANCIAL ndash Current financial cost estimated at pound60m
― REGULATORY ndash Formally sanctioned by ICO (Fined 400k)
Case studies ndash insider threat
― December 2014
― Cause Malicious software deployed via lsquophishingrsquo attack used to obtain IDs and passwords
― Politically motivated
― Immediate result 100 terabytes of data stolen (the whole of the ldquocoukrdquo domain is only 68 Tb)
― Data included entire movies financials staff data salary data email records
― Data posted on the internet for download
― Impacts― REPUTATION ndash Deputy CEO forced to resign due to damaging email content
― FINANCIAL ndash Current financial cost estimated at $15m (impact reduced byinsurances and managed legal response)
Case studies ndash third party
― Spring 2014
― Cause Security compromise at third party AirCon and Ventilation contractor ndash access gained to Targetrsquos network
― Immediate result 70m customer records and 40m credit card records harvested across 1797 stores over extended period
― Data downloaded by criminals in Russia
― Impacts― FINANCIAL ndash Current financial cost to Target estimated at $61m (Industry-wide costs estimated at
$200m)
Get back to basics
― Itrsquos not just about the enemy at the gates (ie the perimeter)
― The perimeter is hard to define these days
― We cannot rely solely upon prevention ndash our detection and response capability must improve
We need to take the threat seriously
Get back to basics
― Technology and tools of the highest quality can be undermined by weaknesses in basic security practices
― Or by a flawed corporate culture
― CyberInformation risk is a problem for the entire business to resolve ndash not just IT
― Todayrsquos cyber criminals recognise this and exploit it by adopting a range of approaches which step away from the purely technical and exploit weaknesses in the way that organisations manage control and interact with their information
― A full frontal assault is unlikely to be profitable ndash an attacker will target compromise from the inside And they can be very patient
Get back to basics
Fundamentally addressing the Cyber Threat means going back to basics looking again at your organisation and the controls you already have
― Understanding your people ndash what threats do they pose After all there is no patch for stupidity
― Understanding your organisationrsquos information where it is and how it is used
― Identifying the main risks to physical and information assets
― Ensuring that the right measures are adopted to mitigate risk to within acceptable levels ndash balancing cost versus risk
Get back to basics ndash governance foundations
Unless the foundations of good information and security governance are working well any investment in security technology will most likely be wasted Fundamental areas for focus are
― Staff security training and awareness
― Robust oversight and management of third party suppliers
― Software amp hardware patch management
― Intelligent management amp admin of user access
― Clear policies on security acceptable system use and social media
People Process Tools In that order
Get back to basics ndash making it work
For effective and sustainable governance
― Setting maintaining and continuing to evolve the ldquotone at the toprdquo
― Monitoring of information risk management by the Board of Directors
― Ongoing practical and relevant awareness training
― Independent assurance
― Regular risk-based security testing Inside and outside the perimeter
What happens if a security breach occurs
― If a security breach occurs organisations that follow clearly documented plans to reduce the impact of the breach have a much better chance of staying out of the law courts and avoiding punishment
― Most organisations unfortunately dont have good systems for actually managing the problem If a breach occurs the law is really concerned with your behaviour at that point in time You cant unravel the past and pretend the breach didnt occur its what you do from that point on that will determine your culpability
― On top of having well documented systems and procedures organisations need to have clearly defined actions for dealing with a breach and limiting the damage to those affected This is likely to involve multiple disciplines that could include information security specialists IT resources a PR agency legal advice and credit reporting services
― If you adopt an honourable stance from the outset doing the right thing at the right time then your legal team is in a very strong position to defend you to the regulator arguing that youre not the kind of organisation that has the profile that requires all of the effect of the law and therefore the punishment
How to protect organisations from security breaches
― Take some basic steps to build a protective shieldrdquo most notably― Build a single unified security policy
― Ensure information security forms part of any contract initiation
― Make security part of the process when any project is initiated
― Employee adequacy ndash ensure you have processes for handling new employees changes of job and for employees exiting the company show that they were made aware of security requirements
― Third-party assurance ndash have processes in place to guard information held by third parties
― Culture ndash have a managerial structure in place that demonstrates a chain of responsibility for handling security and reporting errors― lsquoTone at the toprsquo
― Shared ownership of good practices
― Openness amp transparency ndash continuous improvement
State of the Nation ndash addressing Cyber RiskFour golden rules our plan is founded upon
Over 75 of attacks exploit failures to put in place basic controls
Get the basics right
You have to prioritize where you spend your money to defend yourself so build a fortress
around your most critical asset
Look after the crown jewels
Invest in understanding who might attack you why and how so that you can anticipate the most likely scenarios and defend those assets that are
most likely to get attacked
Do your homework on your enemies
Security and resilience can affect nearly every part of an organization Strategies to protect IT
security and business resiliency should align with an organizationrsquos broader goals ndash from protecting intellectual property to maximizing productivity to
finding new ways to delight customers
Treat cyber risk as an opportunity to look closely at your business
Solving the big lsquoBoard reporting problemrsquo in cyberJon Hawes Security Intelligence Strategist Panaseer
Cyber security insuranceGraeme Newman Chief Innovation OfficerCFC
Tackling the insider threatGarath Lauder Director CyberseerTed Plumis Vice President of Channels and Corporate Development Exabeam
Social engineering the art of the conRob Shapland Penetration Testing Team Manager First Base Technologies
Cryptography Basics Dr David Weston Lecturer in Computer Science and Information SystemsBirkbeck University of London
Tokens Honeypots Idenitfication Authorisation Services Ray Dalgarno Director CYBERCAST
Trust with ldquoTHISrdquo
TokensHoneypots
Identification Authorisation ServicesThe Confluence
Agenda
Warfare
Attack Surface Attribution Residency Deniability
Honeypots amp Tokens
Identification and Authorisation
Conclusion
WarfareSecurity through obscurity ndash
the reason the armed forces adopt camouflage
NHS Cyber Attacks ndash The Telegraph 1st Nov 2016
ldquohelliphacking is no longer the stuff of spy thrillers and action movies but a clear and present threathelliprdquo
ldquohellipBen Gummer minister for Cabinet says that large quantities of sensitive data held by the NHS and the Government is being targeted by hackershelliprdquo
ldquohellipMinisters will also unveil a Cyber Security Research Institute a virtual collection of UK universities which will work towards making passwords obsoletehelliprdquo
Cyber Fraud
ldquohellipOnline fraudsters stole pound109bn in the UK last yearhelliprdquo
ldquohellip39 (of respondents) questioned by ldquoGet Safe Onlinerdquo said they were a victim of cybercrime but did not report ithelliprdquo
ldquohellip53 received phishing messageshelliprdquo
Extract from The Telegraph 20th October 2016
Cyber Crime is a War ZoneldquoRouse him and learn the principle of his activity or inactivity Force him to reveal himself so as to find out his vulnerable spotsrdquoldquoIf you know the enemy and know yourself you need not fear the results of a hundred battlesrdquo
- Sun Tzu Military General Strategist amp Philosopher 5th Century BC ChinaDeception is a powerful effective but under utilised tool ndash (at least by defenders)
Full range of ldquoeffectsrdquo on adversaries possible through deception
Effects Attacker Defender
Fail to observe
Prevent the defender from detecting the attack Prevent the attacker from discovering their target
Reveal
Trick the defender into providing access Trick the attacker into revealing their presence
Waste Time
Focus the defenderrsquos attention on the wrong aspects of the incident
Focus the attackerrsquos efforts on the wrong target
Deception Effects - Attacker amp Defender
Operation Mincemeat - 1943
Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
Operation Mincemeat - 1943Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
This was accomplished by persuading the Germans that they had by accident intercepted top secret documents giving details of Allied war plans
Attack Surface Attribution Residency
DeniabilityFrom the living room to the boardroom
Attack Surface
From ordinary consumers to a single-office business through the regulatory bodies to the national and global giants
The environment dictates the approach ndash no ldquoSilver Bulletrdquo
Layered security ndash combining multiple mitigating security controls to cost effectively protect resources amp data
Attack AttributionAt which point in the attack do you realise that you have been hacked
TalkTalk DNC Yahoo
There are very few ldquosmoking gunsrdquo visible
Attacks that often begin with broadly targeted phishing that can introduce amp run new binaries on victims networks amp that connect to random internal hosts using exfiltrated credentials can still remain hidden for a year
Examples of Global IT Vendorsrsquo Vulnerabilities
Microsoft Microsoft August (2016) Patch Tuesday included five updates rated
critical out of a total of nine bringing the number of patches for the year-to-date at 103
SAP There are vulnerabilities in almost every SAP module CRM EP and SRM
are leaders among them ERPScan SAP Cyber Threat Report2016
Oracle MICROS (and others) In total more than one million PoS terminals around the world could be
at risk should the attacks prove to have been deeper than the companies are currently publicly admitting
Computing Aug
Dwell TimeResidency
Mandiant reported that attackers on average lurked on a network for 205 days before being discoveredsup1
Microsoft recently reported they place the number at more than 200 days to detect a security breach and 80 days to contain itsup2
1 httpswww2fireeyecomrsfireyeimagesrpt-m-trends-2015pdf2 httpsblogswindowscomwindowsexperience20160301announcing-windows-defender-advanced-threat-protection
Plausible Deniability amp Malware Intrusion
Plausible deniability refers to circumstances where a denial of responsibility or knowledge of wrong doing cannot be proved as true or untrue due to a lack of evidence proving the allegation
It is a basic law for the cheat and the deceiver Be able to offer up an excuse that cannot be disproved easily and that makes sense for the situation
Trickle-down Effects
Increasing rapidity of car-trickle-down yester-yearsrsquo top end car innovations eventually migrate through the models becoming standard options in lower-priced vehicles
This pattern of innovation holds true in virtually every field including cyber- security
Malware as a Service (MaaS) ndash moving from the heavily funded specialist cyber experts down into the mass market
MaaS now commonly available at very low cost through the darknet and sites such TOR I2p
Honeypots amp TokensEvolution Mimicry
Honeypots
Venus Flytrap in Action (triggered honeypot)
Trojan Horse (passive honeypot) Greeks built used to enter the city of Troy and win the 10 year Trojan war - 4th Century story
Cartography A trap street (passive honeypot) is a fictitious entry in the form of a misrepresented street for the purpose of trapping potential copyright violators
Tempting - moneypot
All minehelliphelliphellip
Ooops
Honeypot Principle
Focus on detecting threats Here wersquod like to know immediately someone has broken into the network
and in places they shouldnrsquot be
Ensure the honeypot looks appealing to the attacker The honeypot must look legitimate amp enticing
In this attack scenario the defender has particular advantage Once attackers initially land inside your internal network theyrsquore at a
disadvantage They donrsquot know the lay of the land and they need to explore it (reconnaissance) while remaining hidden
Defence through Deception
Deception is a highly effective solution for protecting environments used to confuse delay and redirect the enemy
Lured to the Canary Honeypot the attacker will be tricked into engaging with that device and believe they are being successful in their attack
Canary ndash Today and Tomorrow
Canary - great for remote sites but what about our VM data centres
What about integration with established enterprise monitoring frameworks such as Openview CA or Microsoft SCOM
Console management limit on the number of deployed Canaries
Are ldquoCanarytokensrdquo part of tomorrowrsquos planning
Identification amp Authorisation
A new way forward
TokensTokens - In general a token is an object that represents something else such as another object (either physical or virtual) or an abstract concept In computer systems there are a number of types of tokens both hardware and software
In human terms a token of trust can exist between two parties with such levels of trust reinforced through personal introductions with other partiesA token generation amp management platform designed specifically for high security multi-services in public and private clouds
greatly enhances trustworthy information handling
Identification with Passwords Any directory service or managementplatform holding passwords becomes atarget by the attacker for credentialsrsquo theft
Passwords are fundamentally flawed Often easy to guess Are reused across different services Are written down or stored or shared Can be intercepted Are expensive to maintain 29 of all cybercrime is from stolen
passwords
Identification WITHOUT Password
The Problem The password has outlived itrsquos usefulness
Secure Cloudlinkrsquos Response Patented and highly secure tokenised message management
solution assures password redundancy User credentials are not transmitted stored or replicated Secure digital services - a snap for the user
Randomised encrypted key generation ndashno consistent key to be stolen
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
Case studies ndash insider threat
― December 2014
― Cause Malicious software deployed via lsquophishingrsquo attack used to obtain IDs and passwords
― Politically motivated
― Immediate result 100 terabytes of data stolen (the whole of the ldquocoukrdquo domain is only 68 Tb)
― Data included entire movies financials staff data salary data email records
― Data posted on the internet for download
― Impacts― REPUTATION ndash Deputy CEO forced to resign due to damaging email content
― FINANCIAL ndash Current financial cost estimated at $15m (impact reduced byinsurances and managed legal response)
Case studies ndash third party
― Spring 2014
― Cause Security compromise at third party AirCon and Ventilation contractor ndash access gained to Targetrsquos network
― Immediate result 70m customer records and 40m credit card records harvested across 1797 stores over extended period
― Data downloaded by criminals in Russia
― Impacts― FINANCIAL ndash Current financial cost to Target estimated at $61m (Industry-wide costs estimated at
$200m)
Get back to basics
― Itrsquos not just about the enemy at the gates (ie the perimeter)
― The perimeter is hard to define these days
― We cannot rely solely upon prevention ndash our detection and response capability must improve
We need to take the threat seriously
Get back to basics
― Technology and tools of the highest quality can be undermined by weaknesses in basic security practices
― Or by a flawed corporate culture
― CyberInformation risk is a problem for the entire business to resolve ndash not just IT
― Todayrsquos cyber criminals recognise this and exploit it by adopting a range of approaches which step away from the purely technical and exploit weaknesses in the way that organisations manage control and interact with their information
― A full frontal assault is unlikely to be profitable ndash an attacker will target compromise from the inside And they can be very patient
Get back to basics
Fundamentally addressing the Cyber Threat means going back to basics looking again at your organisation and the controls you already have
― Understanding your people ndash what threats do they pose After all there is no patch for stupidity
― Understanding your organisationrsquos information where it is and how it is used
― Identifying the main risks to physical and information assets
― Ensuring that the right measures are adopted to mitigate risk to within acceptable levels ndash balancing cost versus risk
Get back to basics ndash governance foundations
Unless the foundations of good information and security governance are working well any investment in security technology will most likely be wasted Fundamental areas for focus are
― Staff security training and awareness
― Robust oversight and management of third party suppliers
― Software amp hardware patch management
― Intelligent management amp admin of user access
― Clear policies on security acceptable system use and social media
People Process Tools In that order
Get back to basics ndash making it work
For effective and sustainable governance
― Setting maintaining and continuing to evolve the ldquotone at the toprdquo
― Monitoring of information risk management by the Board of Directors
― Ongoing practical and relevant awareness training
― Independent assurance
― Regular risk-based security testing Inside and outside the perimeter
What happens if a security breach occurs
― If a security breach occurs organisations that follow clearly documented plans to reduce the impact of the breach have a much better chance of staying out of the law courts and avoiding punishment
― Most organisations unfortunately dont have good systems for actually managing the problem If a breach occurs the law is really concerned with your behaviour at that point in time You cant unravel the past and pretend the breach didnt occur its what you do from that point on that will determine your culpability
― On top of having well documented systems and procedures organisations need to have clearly defined actions for dealing with a breach and limiting the damage to those affected This is likely to involve multiple disciplines that could include information security specialists IT resources a PR agency legal advice and credit reporting services
― If you adopt an honourable stance from the outset doing the right thing at the right time then your legal team is in a very strong position to defend you to the regulator arguing that youre not the kind of organisation that has the profile that requires all of the effect of the law and therefore the punishment
How to protect organisations from security breaches
― Take some basic steps to build a protective shieldrdquo most notably― Build a single unified security policy
― Ensure information security forms part of any contract initiation
― Make security part of the process when any project is initiated
― Employee adequacy ndash ensure you have processes for handling new employees changes of job and for employees exiting the company show that they were made aware of security requirements
― Third-party assurance ndash have processes in place to guard information held by third parties
― Culture ndash have a managerial structure in place that demonstrates a chain of responsibility for handling security and reporting errors― lsquoTone at the toprsquo
― Shared ownership of good practices
― Openness amp transparency ndash continuous improvement
State of the Nation ndash addressing Cyber RiskFour golden rules our plan is founded upon
Over 75 of attacks exploit failures to put in place basic controls
Get the basics right
You have to prioritize where you spend your money to defend yourself so build a fortress
around your most critical asset
Look after the crown jewels
Invest in understanding who might attack you why and how so that you can anticipate the most likely scenarios and defend those assets that are
most likely to get attacked
Do your homework on your enemies
Security and resilience can affect nearly every part of an organization Strategies to protect IT
security and business resiliency should align with an organizationrsquos broader goals ndash from protecting intellectual property to maximizing productivity to
finding new ways to delight customers
Treat cyber risk as an opportunity to look closely at your business
Solving the big lsquoBoard reporting problemrsquo in cyberJon Hawes Security Intelligence Strategist Panaseer
Cyber security insuranceGraeme Newman Chief Innovation OfficerCFC
Tackling the insider threatGarath Lauder Director CyberseerTed Plumis Vice President of Channels and Corporate Development Exabeam
Social engineering the art of the conRob Shapland Penetration Testing Team Manager First Base Technologies
Cryptography Basics Dr David Weston Lecturer in Computer Science and Information SystemsBirkbeck University of London
Tokens Honeypots Idenitfication Authorisation Services Ray Dalgarno Director CYBERCAST
Trust with ldquoTHISrdquo
TokensHoneypots
Identification Authorisation ServicesThe Confluence
Agenda
Warfare
Attack Surface Attribution Residency Deniability
Honeypots amp Tokens
Identification and Authorisation
Conclusion
WarfareSecurity through obscurity ndash
the reason the armed forces adopt camouflage
NHS Cyber Attacks ndash The Telegraph 1st Nov 2016
ldquohelliphacking is no longer the stuff of spy thrillers and action movies but a clear and present threathelliprdquo
ldquohellipBen Gummer minister for Cabinet says that large quantities of sensitive data held by the NHS and the Government is being targeted by hackershelliprdquo
ldquohellipMinisters will also unveil a Cyber Security Research Institute a virtual collection of UK universities which will work towards making passwords obsoletehelliprdquo
Cyber Fraud
ldquohellipOnline fraudsters stole pound109bn in the UK last yearhelliprdquo
ldquohellip39 (of respondents) questioned by ldquoGet Safe Onlinerdquo said they were a victim of cybercrime but did not report ithelliprdquo
ldquohellip53 received phishing messageshelliprdquo
Extract from The Telegraph 20th October 2016
Cyber Crime is a War ZoneldquoRouse him and learn the principle of his activity or inactivity Force him to reveal himself so as to find out his vulnerable spotsrdquoldquoIf you know the enemy and know yourself you need not fear the results of a hundred battlesrdquo
- Sun Tzu Military General Strategist amp Philosopher 5th Century BC ChinaDeception is a powerful effective but under utilised tool ndash (at least by defenders)
Full range of ldquoeffectsrdquo on adversaries possible through deception
Effects Attacker Defender
Fail to observe
Prevent the defender from detecting the attack Prevent the attacker from discovering their target
Reveal
Trick the defender into providing access Trick the attacker into revealing their presence
Waste Time
Focus the defenderrsquos attention on the wrong aspects of the incident
Focus the attackerrsquos efforts on the wrong target
Deception Effects - Attacker amp Defender
Operation Mincemeat - 1943
Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
Operation Mincemeat - 1943Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
This was accomplished by persuading the Germans that they had by accident intercepted top secret documents giving details of Allied war plans
Attack Surface Attribution Residency
DeniabilityFrom the living room to the boardroom
Attack Surface
From ordinary consumers to a single-office business through the regulatory bodies to the national and global giants
The environment dictates the approach ndash no ldquoSilver Bulletrdquo
Layered security ndash combining multiple mitigating security controls to cost effectively protect resources amp data
Attack AttributionAt which point in the attack do you realise that you have been hacked
TalkTalk DNC Yahoo
There are very few ldquosmoking gunsrdquo visible
Attacks that often begin with broadly targeted phishing that can introduce amp run new binaries on victims networks amp that connect to random internal hosts using exfiltrated credentials can still remain hidden for a year
Examples of Global IT Vendorsrsquo Vulnerabilities
Microsoft Microsoft August (2016) Patch Tuesday included five updates rated
critical out of a total of nine bringing the number of patches for the year-to-date at 103
SAP There are vulnerabilities in almost every SAP module CRM EP and SRM
are leaders among them ERPScan SAP Cyber Threat Report2016
Oracle MICROS (and others) In total more than one million PoS terminals around the world could be
at risk should the attacks prove to have been deeper than the companies are currently publicly admitting
Computing Aug
Dwell TimeResidency
Mandiant reported that attackers on average lurked on a network for 205 days before being discoveredsup1
Microsoft recently reported they place the number at more than 200 days to detect a security breach and 80 days to contain itsup2
1 httpswww2fireeyecomrsfireyeimagesrpt-m-trends-2015pdf2 httpsblogswindowscomwindowsexperience20160301announcing-windows-defender-advanced-threat-protection
Plausible Deniability amp Malware Intrusion
Plausible deniability refers to circumstances where a denial of responsibility or knowledge of wrong doing cannot be proved as true or untrue due to a lack of evidence proving the allegation
It is a basic law for the cheat and the deceiver Be able to offer up an excuse that cannot be disproved easily and that makes sense for the situation
Trickle-down Effects
Increasing rapidity of car-trickle-down yester-yearsrsquo top end car innovations eventually migrate through the models becoming standard options in lower-priced vehicles
This pattern of innovation holds true in virtually every field including cyber- security
Malware as a Service (MaaS) ndash moving from the heavily funded specialist cyber experts down into the mass market
MaaS now commonly available at very low cost through the darknet and sites such TOR I2p
Honeypots amp TokensEvolution Mimicry
Honeypots
Venus Flytrap in Action (triggered honeypot)
Trojan Horse (passive honeypot) Greeks built used to enter the city of Troy and win the 10 year Trojan war - 4th Century story
Cartography A trap street (passive honeypot) is a fictitious entry in the form of a misrepresented street for the purpose of trapping potential copyright violators
Tempting - moneypot
All minehelliphelliphellip
Ooops
Honeypot Principle
Focus on detecting threats Here wersquod like to know immediately someone has broken into the network
and in places they shouldnrsquot be
Ensure the honeypot looks appealing to the attacker The honeypot must look legitimate amp enticing
In this attack scenario the defender has particular advantage Once attackers initially land inside your internal network theyrsquore at a
disadvantage They donrsquot know the lay of the land and they need to explore it (reconnaissance) while remaining hidden
Defence through Deception
Deception is a highly effective solution for protecting environments used to confuse delay and redirect the enemy
Lured to the Canary Honeypot the attacker will be tricked into engaging with that device and believe they are being successful in their attack
Canary ndash Today and Tomorrow
Canary - great for remote sites but what about our VM data centres
What about integration with established enterprise monitoring frameworks such as Openview CA or Microsoft SCOM
Console management limit on the number of deployed Canaries
Are ldquoCanarytokensrdquo part of tomorrowrsquos planning
Identification amp Authorisation
A new way forward
TokensTokens - In general a token is an object that represents something else such as another object (either physical or virtual) or an abstract concept In computer systems there are a number of types of tokens both hardware and software
In human terms a token of trust can exist between two parties with such levels of trust reinforced through personal introductions with other partiesA token generation amp management platform designed specifically for high security multi-services in public and private clouds
greatly enhances trustworthy information handling
Identification with Passwords Any directory service or managementplatform holding passwords becomes atarget by the attacker for credentialsrsquo theft
Passwords are fundamentally flawed Often easy to guess Are reused across different services Are written down or stored or shared Can be intercepted Are expensive to maintain 29 of all cybercrime is from stolen
passwords
Identification WITHOUT Password
The Problem The password has outlived itrsquos usefulness
Secure Cloudlinkrsquos Response Patented and highly secure tokenised message management
solution assures password redundancy User credentials are not transmitted stored or replicated Secure digital services - a snap for the user
Randomised encrypted key generation ndashno consistent key to be stolen
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
Case studies ndash third party
― Spring 2014
― Cause Security compromise at third party AirCon and Ventilation contractor ndash access gained to Targetrsquos network
― Immediate result 70m customer records and 40m credit card records harvested across 1797 stores over extended period
― Data downloaded by criminals in Russia
― Impacts― FINANCIAL ndash Current financial cost to Target estimated at $61m (Industry-wide costs estimated at
$200m)
Get back to basics
― Itrsquos not just about the enemy at the gates (ie the perimeter)
― The perimeter is hard to define these days
― We cannot rely solely upon prevention ndash our detection and response capability must improve
We need to take the threat seriously
Get back to basics
― Technology and tools of the highest quality can be undermined by weaknesses in basic security practices
― Or by a flawed corporate culture
― CyberInformation risk is a problem for the entire business to resolve ndash not just IT
― Todayrsquos cyber criminals recognise this and exploit it by adopting a range of approaches which step away from the purely technical and exploit weaknesses in the way that organisations manage control and interact with their information
― A full frontal assault is unlikely to be profitable ndash an attacker will target compromise from the inside And they can be very patient
Get back to basics
Fundamentally addressing the Cyber Threat means going back to basics looking again at your organisation and the controls you already have
― Understanding your people ndash what threats do they pose After all there is no patch for stupidity
― Understanding your organisationrsquos information where it is and how it is used
― Identifying the main risks to physical and information assets
― Ensuring that the right measures are adopted to mitigate risk to within acceptable levels ndash balancing cost versus risk
Get back to basics ndash governance foundations
Unless the foundations of good information and security governance are working well any investment in security technology will most likely be wasted Fundamental areas for focus are
― Staff security training and awareness
― Robust oversight and management of third party suppliers
― Software amp hardware patch management
― Intelligent management amp admin of user access
― Clear policies on security acceptable system use and social media
People Process Tools In that order
Get back to basics ndash making it work
For effective and sustainable governance
― Setting maintaining and continuing to evolve the ldquotone at the toprdquo
― Monitoring of information risk management by the Board of Directors
― Ongoing practical and relevant awareness training
― Independent assurance
― Regular risk-based security testing Inside and outside the perimeter
What happens if a security breach occurs
― If a security breach occurs organisations that follow clearly documented plans to reduce the impact of the breach have a much better chance of staying out of the law courts and avoiding punishment
― Most organisations unfortunately dont have good systems for actually managing the problem If a breach occurs the law is really concerned with your behaviour at that point in time You cant unravel the past and pretend the breach didnt occur its what you do from that point on that will determine your culpability
― On top of having well documented systems and procedures organisations need to have clearly defined actions for dealing with a breach and limiting the damage to those affected This is likely to involve multiple disciplines that could include information security specialists IT resources a PR agency legal advice and credit reporting services
― If you adopt an honourable stance from the outset doing the right thing at the right time then your legal team is in a very strong position to defend you to the regulator arguing that youre not the kind of organisation that has the profile that requires all of the effect of the law and therefore the punishment
How to protect organisations from security breaches
― Take some basic steps to build a protective shieldrdquo most notably― Build a single unified security policy
― Ensure information security forms part of any contract initiation
― Make security part of the process when any project is initiated
― Employee adequacy ndash ensure you have processes for handling new employees changes of job and for employees exiting the company show that they were made aware of security requirements
― Third-party assurance ndash have processes in place to guard information held by third parties
― Culture ndash have a managerial structure in place that demonstrates a chain of responsibility for handling security and reporting errors― lsquoTone at the toprsquo
― Shared ownership of good practices
― Openness amp transparency ndash continuous improvement
State of the Nation ndash addressing Cyber RiskFour golden rules our plan is founded upon
Over 75 of attacks exploit failures to put in place basic controls
Get the basics right
You have to prioritize where you spend your money to defend yourself so build a fortress
around your most critical asset
Look after the crown jewels
Invest in understanding who might attack you why and how so that you can anticipate the most likely scenarios and defend those assets that are
most likely to get attacked
Do your homework on your enemies
Security and resilience can affect nearly every part of an organization Strategies to protect IT
security and business resiliency should align with an organizationrsquos broader goals ndash from protecting intellectual property to maximizing productivity to
finding new ways to delight customers
Treat cyber risk as an opportunity to look closely at your business
Solving the big lsquoBoard reporting problemrsquo in cyberJon Hawes Security Intelligence Strategist Panaseer
Cyber security insuranceGraeme Newman Chief Innovation OfficerCFC
Tackling the insider threatGarath Lauder Director CyberseerTed Plumis Vice President of Channels and Corporate Development Exabeam
Social engineering the art of the conRob Shapland Penetration Testing Team Manager First Base Technologies
Cryptography Basics Dr David Weston Lecturer in Computer Science and Information SystemsBirkbeck University of London
Tokens Honeypots Idenitfication Authorisation Services Ray Dalgarno Director CYBERCAST
Trust with ldquoTHISrdquo
TokensHoneypots
Identification Authorisation ServicesThe Confluence
Agenda
Warfare
Attack Surface Attribution Residency Deniability
Honeypots amp Tokens
Identification and Authorisation
Conclusion
WarfareSecurity through obscurity ndash
the reason the armed forces adopt camouflage
NHS Cyber Attacks ndash The Telegraph 1st Nov 2016
ldquohelliphacking is no longer the stuff of spy thrillers and action movies but a clear and present threathelliprdquo
ldquohellipBen Gummer minister for Cabinet says that large quantities of sensitive data held by the NHS and the Government is being targeted by hackershelliprdquo
ldquohellipMinisters will also unveil a Cyber Security Research Institute a virtual collection of UK universities which will work towards making passwords obsoletehelliprdquo
Cyber Fraud
ldquohellipOnline fraudsters stole pound109bn in the UK last yearhelliprdquo
ldquohellip39 (of respondents) questioned by ldquoGet Safe Onlinerdquo said they were a victim of cybercrime but did not report ithelliprdquo
ldquohellip53 received phishing messageshelliprdquo
Extract from The Telegraph 20th October 2016
Cyber Crime is a War ZoneldquoRouse him and learn the principle of his activity or inactivity Force him to reveal himself so as to find out his vulnerable spotsrdquoldquoIf you know the enemy and know yourself you need not fear the results of a hundred battlesrdquo
- Sun Tzu Military General Strategist amp Philosopher 5th Century BC ChinaDeception is a powerful effective but under utilised tool ndash (at least by defenders)
Full range of ldquoeffectsrdquo on adversaries possible through deception
Effects Attacker Defender
Fail to observe
Prevent the defender from detecting the attack Prevent the attacker from discovering their target
Reveal
Trick the defender into providing access Trick the attacker into revealing their presence
Waste Time
Focus the defenderrsquos attention on the wrong aspects of the incident
Focus the attackerrsquos efforts on the wrong target
Deception Effects - Attacker amp Defender
Operation Mincemeat - 1943
Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
Operation Mincemeat - 1943Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
This was accomplished by persuading the Germans that they had by accident intercepted top secret documents giving details of Allied war plans
Attack Surface Attribution Residency
DeniabilityFrom the living room to the boardroom
Attack Surface
From ordinary consumers to a single-office business through the regulatory bodies to the national and global giants
The environment dictates the approach ndash no ldquoSilver Bulletrdquo
Layered security ndash combining multiple mitigating security controls to cost effectively protect resources amp data
Attack AttributionAt which point in the attack do you realise that you have been hacked
TalkTalk DNC Yahoo
There are very few ldquosmoking gunsrdquo visible
Attacks that often begin with broadly targeted phishing that can introduce amp run new binaries on victims networks amp that connect to random internal hosts using exfiltrated credentials can still remain hidden for a year
Examples of Global IT Vendorsrsquo Vulnerabilities
Microsoft Microsoft August (2016) Patch Tuesday included five updates rated
critical out of a total of nine bringing the number of patches for the year-to-date at 103
SAP There are vulnerabilities in almost every SAP module CRM EP and SRM
are leaders among them ERPScan SAP Cyber Threat Report2016
Oracle MICROS (and others) In total more than one million PoS terminals around the world could be
at risk should the attacks prove to have been deeper than the companies are currently publicly admitting
Computing Aug
Dwell TimeResidency
Mandiant reported that attackers on average lurked on a network for 205 days before being discoveredsup1
Microsoft recently reported they place the number at more than 200 days to detect a security breach and 80 days to contain itsup2
1 httpswww2fireeyecomrsfireyeimagesrpt-m-trends-2015pdf2 httpsblogswindowscomwindowsexperience20160301announcing-windows-defender-advanced-threat-protection
Plausible Deniability amp Malware Intrusion
Plausible deniability refers to circumstances where a denial of responsibility or knowledge of wrong doing cannot be proved as true or untrue due to a lack of evidence proving the allegation
It is a basic law for the cheat and the deceiver Be able to offer up an excuse that cannot be disproved easily and that makes sense for the situation
Trickle-down Effects
Increasing rapidity of car-trickle-down yester-yearsrsquo top end car innovations eventually migrate through the models becoming standard options in lower-priced vehicles
This pattern of innovation holds true in virtually every field including cyber- security
Malware as a Service (MaaS) ndash moving from the heavily funded specialist cyber experts down into the mass market
MaaS now commonly available at very low cost through the darknet and sites such TOR I2p
Honeypots amp TokensEvolution Mimicry
Honeypots
Venus Flytrap in Action (triggered honeypot)
Trojan Horse (passive honeypot) Greeks built used to enter the city of Troy and win the 10 year Trojan war - 4th Century story
Cartography A trap street (passive honeypot) is a fictitious entry in the form of a misrepresented street for the purpose of trapping potential copyright violators
Tempting - moneypot
All minehelliphelliphellip
Ooops
Honeypot Principle
Focus on detecting threats Here wersquod like to know immediately someone has broken into the network
and in places they shouldnrsquot be
Ensure the honeypot looks appealing to the attacker The honeypot must look legitimate amp enticing
In this attack scenario the defender has particular advantage Once attackers initially land inside your internal network theyrsquore at a
disadvantage They donrsquot know the lay of the land and they need to explore it (reconnaissance) while remaining hidden
Defence through Deception
Deception is a highly effective solution for protecting environments used to confuse delay and redirect the enemy
Lured to the Canary Honeypot the attacker will be tricked into engaging with that device and believe they are being successful in their attack
Canary ndash Today and Tomorrow
Canary - great for remote sites but what about our VM data centres
What about integration with established enterprise monitoring frameworks such as Openview CA or Microsoft SCOM
Console management limit on the number of deployed Canaries
Are ldquoCanarytokensrdquo part of tomorrowrsquos planning
Identification amp Authorisation
A new way forward
TokensTokens - In general a token is an object that represents something else such as another object (either physical or virtual) or an abstract concept In computer systems there are a number of types of tokens both hardware and software
In human terms a token of trust can exist between two parties with such levels of trust reinforced through personal introductions with other partiesA token generation amp management platform designed specifically for high security multi-services in public and private clouds
greatly enhances trustworthy information handling
Identification with Passwords Any directory service or managementplatform holding passwords becomes atarget by the attacker for credentialsrsquo theft
Passwords are fundamentally flawed Often easy to guess Are reused across different services Are written down or stored or shared Can be intercepted Are expensive to maintain 29 of all cybercrime is from stolen
passwords
Identification WITHOUT Password
The Problem The password has outlived itrsquos usefulness
Secure Cloudlinkrsquos Response Patented and highly secure tokenised message management
solution assures password redundancy User credentials are not transmitted stored or replicated Secure digital services - a snap for the user
Randomised encrypted key generation ndashno consistent key to be stolen
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
Get back to basics
― Itrsquos not just about the enemy at the gates (ie the perimeter)
― The perimeter is hard to define these days
― We cannot rely solely upon prevention ndash our detection and response capability must improve
We need to take the threat seriously
Get back to basics
― Technology and tools of the highest quality can be undermined by weaknesses in basic security practices
― Or by a flawed corporate culture
― CyberInformation risk is a problem for the entire business to resolve ndash not just IT
― Todayrsquos cyber criminals recognise this and exploit it by adopting a range of approaches which step away from the purely technical and exploit weaknesses in the way that organisations manage control and interact with their information
― A full frontal assault is unlikely to be profitable ndash an attacker will target compromise from the inside And they can be very patient
Get back to basics
Fundamentally addressing the Cyber Threat means going back to basics looking again at your organisation and the controls you already have
― Understanding your people ndash what threats do they pose After all there is no patch for stupidity
― Understanding your organisationrsquos information where it is and how it is used
― Identifying the main risks to physical and information assets
― Ensuring that the right measures are adopted to mitigate risk to within acceptable levels ndash balancing cost versus risk
Get back to basics ndash governance foundations
Unless the foundations of good information and security governance are working well any investment in security technology will most likely be wasted Fundamental areas for focus are
― Staff security training and awareness
― Robust oversight and management of third party suppliers
― Software amp hardware patch management
― Intelligent management amp admin of user access
― Clear policies on security acceptable system use and social media
People Process Tools In that order
Get back to basics ndash making it work
For effective and sustainable governance
― Setting maintaining and continuing to evolve the ldquotone at the toprdquo
― Monitoring of information risk management by the Board of Directors
― Ongoing practical and relevant awareness training
― Independent assurance
― Regular risk-based security testing Inside and outside the perimeter
What happens if a security breach occurs
― If a security breach occurs organisations that follow clearly documented plans to reduce the impact of the breach have a much better chance of staying out of the law courts and avoiding punishment
― Most organisations unfortunately dont have good systems for actually managing the problem If a breach occurs the law is really concerned with your behaviour at that point in time You cant unravel the past and pretend the breach didnt occur its what you do from that point on that will determine your culpability
― On top of having well documented systems and procedures organisations need to have clearly defined actions for dealing with a breach and limiting the damage to those affected This is likely to involve multiple disciplines that could include information security specialists IT resources a PR agency legal advice and credit reporting services
― If you adopt an honourable stance from the outset doing the right thing at the right time then your legal team is in a very strong position to defend you to the regulator arguing that youre not the kind of organisation that has the profile that requires all of the effect of the law and therefore the punishment
How to protect organisations from security breaches
― Take some basic steps to build a protective shieldrdquo most notably― Build a single unified security policy
― Ensure information security forms part of any contract initiation
― Make security part of the process when any project is initiated
― Employee adequacy ndash ensure you have processes for handling new employees changes of job and for employees exiting the company show that they were made aware of security requirements
― Third-party assurance ndash have processes in place to guard information held by third parties
― Culture ndash have a managerial structure in place that demonstrates a chain of responsibility for handling security and reporting errors― lsquoTone at the toprsquo
― Shared ownership of good practices
― Openness amp transparency ndash continuous improvement
State of the Nation ndash addressing Cyber RiskFour golden rules our plan is founded upon
Over 75 of attacks exploit failures to put in place basic controls
Get the basics right
You have to prioritize where you spend your money to defend yourself so build a fortress
around your most critical asset
Look after the crown jewels
Invest in understanding who might attack you why and how so that you can anticipate the most likely scenarios and defend those assets that are
most likely to get attacked
Do your homework on your enemies
Security and resilience can affect nearly every part of an organization Strategies to protect IT
security and business resiliency should align with an organizationrsquos broader goals ndash from protecting intellectual property to maximizing productivity to
finding new ways to delight customers
Treat cyber risk as an opportunity to look closely at your business
Solving the big lsquoBoard reporting problemrsquo in cyberJon Hawes Security Intelligence Strategist Panaseer
Cyber security insuranceGraeme Newman Chief Innovation OfficerCFC
Tackling the insider threatGarath Lauder Director CyberseerTed Plumis Vice President of Channels and Corporate Development Exabeam
Social engineering the art of the conRob Shapland Penetration Testing Team Manager First Base Technologies
Cryptography Basics Dr David Weston Lecturer in Computer Science and Information SystemsBirkbeck University of London
Tokens Honeypots Idenitfication Authorisation Services Ray Dalgarno Director CYBERCAST
Trust with ldquoTHISrdquo
TokensHoneypots
Identification Authorisation ServicesThe Confluence
Agenda
Warfare
Attack Surface Attribution Residency Deniability
Honeypots amp Tokens
Identification and Authorisation
Conclusion
WarfareSecurity through obscurity ndash
the reason the armed forces adopt camouflage
NHS Cyber Attacks ndash The Telegraph 1st Nov 2016
ldquohelliphacking is no longer the stuff of spy thrillers and action movies but a clear and present threathelliprdquo
ldquohellipBen Gummer minister for Cabinet says that large quantities of sensitive data held by the NHS and the Government is being targeted by hackershelliprdquo
ldquohellipMinisters will also unveil a Cyber Security Research Institute a virtual collection of UK universities which will work towards making passwords obsoletehelliprdquo
Cyber Fraud
ldquohellipOnline fraudsters stole pound109bn in the UK last yearhelliprdquo
ldquohellip39 (of respondents) questioned by ldquoGet Safe Onlinerdquo said they were a victim of cybercrime but did not report ithelliprdquo
ldquohellip53 received phishing messageshelliprdquo
Extract from The Telegraph 20th October 2016
Cyber Crime is a War ZoneldquoRouse him and learn the principle of his activity or inactivity Force him to reveal himself so as to find out his vulnerable spotsrdquoldquoIf you know the enemy and know yourself you need not fear the results of a hundred battlesrdquo
- Sun Tzu Military General Strategist amp Philosopher 5th Century BC ChinaDeception is a powerful effective but under utilised tool ndash (at least by defenders)
Full range of ldquoeffectsrdquo on adversaries possible through deception
Effects Attacker Defender
Fail to observe
Prevent the defender from detecting the attack Prevent the attacker from discovering their target
Reveal
Trick the defender into providing access Trick the attacker into revealing their presence
Waste Time
Focus the defenderrsquos attention on the wrong aspects of the incident
Focus the attackerrsquos efforts on the wrong target
Deception Effects - Attacker amp Defender
Operation Mincemeat - 1943
Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
Operation Mincemeat - 1943Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
This was accomplished by persuading the Germans that they had by accident intercepted top secret documents giving details of Allied war plans
Attack Surface Attribution Residency
DeniabilityFrom the living room to the boardroom
Attack Surface
From ordinary consumers to a single-office business through the regulatory bodies to the national and global giants
The environment dictates the approach ndash no ldquoSilver Bulletrdquo
Layered security ndash combining multiple mitigating security controls to cost effectively protect resources amp data
Attack AttributionAt which point in the attack do you realise that you have been hacked
TalkTalk DNC Yahoo
There are very few ldquosmoking gunsrdquo visible
Attacks that often begin with broadly targeted phishing that can introduce amp run new binaries on victims networks amp that connect to random internal hosts using exfiltrated credentials can still remain hidden for a year
Examples of Global IT Vendorsrsquo Vulnerabilities
Microsoft Microsoft August (2016) Patch Tuesday included five updates rated
critical out of a total of nine bringing the number of patches for the year-to-date at 103
SAP There are vulnerabilities in almost every SAP module CRM EP and SRM
are leaders among them ERPScan SAP Cyber Threat Report2016
Oracle MICROS (and others) In total more than one million PoS terminals around the world could be
at risk should the attacks prove to have been deeper than the companies are currently publicly admitting
Computing Aug
Dwell TimeResidency
Mandiant reported that attackers on average lurked on a network for 205 days before being discoveredsup1
Microsoft recently reported they place the number at more than 200 days to detect a security breach and 80 days to contain itsup2
1 httpswww2fireeyecomrsfireyeimagesrpt-m-trends-2015pdf2 httpsblogswindowscomwindowsexperience20160301announcing-windows-defender-advanced-threat-protection
Plausible Deniability amp Malware Intrusion
Plausible deniability refers to circumstances where a denial of responsibility or knowledge of wrong doing cannot be proved as true or untrue due to a lack of evidence proving the allegation
It is a basic law for the cheat and the deceiver Be able to offer up an excuse that cannot be disproved easily and that makes sense for the situation
Trickle-down Effects
Increasing rapidity of car-trickle-down yester-yearsrsquo top end car innovations eventually migrate through the models becoming standard options in lower-priced vehicles
This pattern of innovation holds true in virtually every field including cyber- security
Malware as a Service (MaaS) ndash moving from the heavily funded specialist cyber experts down into the mass market
MaaS now commonly available at very low cost through the darknet and sites such TOR I2p
Honeypots amp TokensEvolution Mimicry
Honeypots
Venus Flytrap in Action (triggered honeypot)
Trojan Horse (passive honeypot) Greeks built used to enter the city of Troy and win the 10 year Trojan war - 4th Century story
Cartography A trap street (passive honeypot) is a fictitious entry in the form of a misrepresented street for the purpose of trapping potential copyright violators
Tempting - moneypot
All minehelliphelliphellip
Ooops
Honeypot Principle
Focus on detecting threats Here wersquod like to know immediately someone has broken into the network
and in places they shouldnrsquot be
Ensure the honeypot looks appealing to the attacker The honeypot must look legitimate amp enticing
In this attack scenario the defender has particular advantage Once attackers initially land inside your internal network theyrsquore at a
disadvantage They donrsquot know the lay of the land and they need to explore it (reconnaissance) while remaining hidden
Defence through Deception
Deception is a highly effective solution for protecting environments used to confuse delay and redirect the enemy
Lured to the Canary Honeypot the attacker will be tricked into engaging with that device and believe they are being successful in their attack
Canary ndash Today and Tomorrow
Canary - great for remote sites but what about our VM data centres
What about integration with established enterprise monitoring frameworks such as Openview CA or Microsoft SCOM
Console management limit on the number of deployed Canaries
Are ldquoCanarytokensrdquo part of tomorrowrsquos planning
Identification amp Authorisation
A new way forward
TokensTokens - In general a token is an object that represents something else such as another object (either physical or virtual) or an abstract concept In computer systems there are a number of types of tokens both hardware and software
In human terms a token of trust can exist between two parties with such levels of trust reinforced through personal introductions with other partiesA token generation amp management platform designed specifically for high security multi-services in public and private clouds
greatly enhances trustworthy information handling
Identification with Passwords Any directory service or managementplatform holding passwords becomes atarget by the attacker for credentialsrsquo theft
Passwords are fundamentally flawed Often easy to guess Are reused across different services Are written down or stored or shared Can be intercepted Are expensive to maintain 29 of all cybercrime is from stolen
passwords
Identification WITHOUT Password
The Problem The password has outlived itrsquos usefulness
Secure Cloudlinkrsquos Response Patented and highly secure tokenised message management
solution assures password redundancy User credentials are not transmitted stored or replicated Secure digital services - a snap for the user
Randomised encrypted key generation ndashno consistent key to be stolen
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
Get back to basics
― Technology and tools of the highest quality can be undermined by weaknesses in basic security practices
― Or by a flawed corporate culture
― CyberInformation risk is a problem for the entire business to resolve ndash not just IT
― Todayrsquos cyber criminals recognise this and exploit it by adopting a range of approaches which step away from the purely technical and exploit weaknesses in the way that organisations manage control and interact with their information
― A full frontal assault is unlikely to be profitable ndash an attacker will target compromise from the inside And they can be very patient
Get back to basics
Fundamentally addressing the Cyber Threat means going back to basics looking again at your organisation and the controls you already have
― Understanding your people ndash what threats do they pose After all there is no patch for stupidity
― Understanding your organisationrsquos information where it is and how it is used
― Identifying the main risks to physical and information assets
― Ensuring that the right measures are adopted to mitigate risk to within acceptable levels ndash balancing cost versus risk
Get back to basics ndash governance foundations
Unless the foundations of good information and security governance are working well any investment in security technology will most likely be wasted Fundamental areas for focus are
― Staff security training and awareness
― Robust oversight and management of third party suppliers
― Software amp hardware patch management
― Intelligent management amp admin of user access
― Clear policies on security acceptable system use and social media
People Process Tools In that order
Get back to basics ndash making it work
For effective and sustainable governance
― Setting maintaining and continuing to evolve the ldquotone at the toprdquo
― Monitoring of information risk management by the Board of Directors
― Ongoing practical and relevant awareness training
― Independent assurance
― Regular risk-based security testing Inside and outside the perimeter
What happens if a security breach occurs
― If a security breach occurs organisations that follow clearly documented plans to reduce the impact of the breach have a much better chance of staying out of the law courts and avoiding punishment
― Most organisations unfortunately dont have good systems for actually managing the problem If a breach occurs the law is really concerned with your behaviour at that point in time You cant unravel the past and pretend the breach didnt occur its what you do from that point on that will determine your culpability
― On top of having well documented systems and procedures organisations need to have clearly defined actions for dealing with a breach and limiting the damage to those affected This is likely to involve multiple disciplines that could include information security specialists IT resources a PR agency legal advice and credit reporting services
― If you adopt an honourable stance from the outset doing the right thing at the right time then your legal team is in a very strong position to defend you to the regulator arguing that youre not the kind of organisation that has the profile that requires all of the effect of the law and therefore the punishment
How to protect organisations from security breaches
― Take some basic steps to build a protective shieldrdquo most notably― Build a single unified security policy
― Ensure information security forms part of any contract initiation
― Make security part of the process when any project is initiated
― Employee adequacy ndash ensure you have processes for handling new employees changes of job and for employees exiting the company show that they were made aware of security requirements
― Third-party assurance ndash have processes in place to guard information held by third parties
― Culture ndash have a managerial structure in place that demonstrates a chain of responsibility for handling security and reporting errors― lsquoTone at the toprsquo
― Shared ownership of good practices
― Openness amp transparency ndash continuous improvement
State of the Nation ndash addressing Cyber RiskFour golden rules our plan is founded upon
Over 75 of attacks exploit failures to put in place basic controls
Get the basics right
You have to prioritize where you spend your money to defend yourself so build a fortress
around your most critical asset
Look after the crown jewels
Invest in understanding who might attack you why and how so that you can anticipate the most likely scenarios and defend those assets that are
most likely to get attacked
Do your homework on your enemies
Security and resilience can affect nearly every part of an organization Strategies to protect IT
security and business resiliency should align with an organizationrsquos broader goals ndash from protecting intellectual property to maximizing productivity to
finding new ways to delight customers
Treat cyber risk as an opportunity to look closely at your business
Solving the big lsquoBoard reporting problemrsquo in cyberJon Hawes Security Intelligence Strategist Panaseer
Cyber security insuranceGraeme Newman Chief Innovation OfficerCFC
Tackling the insider threatGarath Lauder Director CyberseerTed Plumis Vice President of Channels and Corporate Development Exabeam
Social engineering the art of the conRob Shapland Penetration Testing Team Manager First Base Technologies
Cryptography Basics Dr David Weston Lecturer in Computer Science and Information SystemsBirkbeck University of London
Tokens Honeypots Idenitfication Authorisation Services Ray Dalgarno Director CYBERCAST
Trust with ldquoTHISrdquo
TokensHoneypots
Identification Authorisation ServicesThe Confluence
Agenda
Warfare
Attack Surface Attribution Residency Deniability
Honeypots amp Tokens
Identification and Authorisation
Conclusion
WarfareSecurity through obscurity ndash
the reason the armed forces adopt camouflage
NHS Cyber Attacks ndash The Telegraph 1st Nov 2016
ldquohelliphacking is no longer the stuff of spy thrillers and action movies but a clear and present threathelliprdquo
ldquohellipBen Gummer minister for Cabinet says that large quantities of sensitive data held by the NHS and the Government is being targeted by hackershelliprdquo
ldquohellipMinisters will also unveil a Cyber Security Research Institute a virtual collection of UK universities which will work towards making passwords obsoletehelliprdquo
Cyber Fraud
ldquohellipOnline fraudsters stole pound109bn in the UK last yearhelliprdquo
ldquohellip39 (of respondents) questioned by ldquoGet Safe Onlinerdquo said they were a victim of cybercrime but did not report ithelliprdquo
ldquohellip53 received phishing messageshelliprdquo
Extract from The Telegraph 20th October 2016
Cyber Crime is a War ZoneldquoRouse him and learn the principle of his activity or inactivity Force him to reveal himself so as to find out his vulnerable spotsrdquoldquoIf you know the enemy and know yourself you need not fear the results of a hundred battlesrdquo
- Sun Tzu Military General Strategist amp Philosopher 5th Century BC ChinaDeception is a powerful effective but under utilised tool ndash (at least by defenders)
Full range of ldquoeffectsrdquo on adversaries possible through deception
Effects Attacker Defender
Fail to observe
Prevent the defender from detecting the attack Prevent the attacker from discovering their target
Reveal
Trick the defender into providing access Trick the attacker into revealing their presence
Waste Time
Focus the defenderrsquos attention on the wrong aspects of the incident
Focus the attackerrsquos efforts on the wrong target
Deception Effects - Attacker amp Defender
Operation Mincemeat - 1943
Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
Operation Mincemeat - 1943Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
This was accomplished by persuading the Germans that they had by accident intercepted top secret documents giving details of Allied war plans
Attack Surface Attribution Residency
DeniabilityFrom the living room to the boardroom
Attack Surface
From ordinary consumers to a single-office business through the regulatory bodies to the national and global giants
The environment dictates the approach ndash no ldquoSilver Bulletrdquo
Layered security ndash combining multiple mitigating security controls to cost effectively protect resources amp data
Attack AttributionAt which point in the attack do you realise that you have been hacked
TalkTalk DNC Yahoo
There are very few ldquosmoking gunsrdquo visible
Attacks that often begin with broadly targeted phishing that can introduce amp run new binaries on victims networks amp that connect to random internal hosts using exfiltrated credentials can still remain hidden for a year
Examples of Global IT Vendorsrsquo Vulnerabilities
Microsoft Microsoft August (2016) Patch Tuesday included five updates rated
critical out of a total of nine bringing the number of patches for the year-to-date at 103
SAP There are vulnerabilities in almost every SAP module CRM EP and SRM
are leaders among them ERPScan SAP Cyber Threat Report2016
Oracle MICROS (and others) In total more than one million PoS terminals around the world could be
at risk should the attacks prove to have been deeper than the companies are currently publicly admitting
Computing Aug
Dwell TimeResidency
Mandiant reported that attackers on average lurked on a network for 205 days before being discoveredsup1
Microsoft recently reported they place the number at more than 200 days to detect a security breach and 80 days to contain itsup2
1 httpswww2fireeyecomrsfireyeimagesrpt-m-trends-2015pdf2 httpsblogswindowscomwindowsexperience20160301announcing-windows-defender-advanced-threat-protection
Plausible Deniability amp Malware Intrusion
Plausible deniability refers to circumstances where a denial of responsibility or knowledge of wrong doing cannot be proved as true or untrue due to a lack of evidence proving the allegation
It is a basic law for the cheat and the deceiver Be able to offer up an excuse that cannot be disproved easily and that makes sense for the situation
Trickle-down Effects
Increasing rapidity of car-trickle-down yester-yearsrsquo top end car innovations eventually migrate through the models becoming standard options in lower-priced vehicles
This pattern of innovation holds true in virtually every field including cyber- security
Malware as a Service (MaaS) ndash moving from the heavily funded specialist cyber experts down into the mass market
MaaS now commonly available at very low cost through the darknet and sites such TOR I2p
Honeypots amp TokensEvolution Mimicry
Honeypots
Venus Flytrap in Action (triggered honeypot)
Trojan Horse (passive honeypot) Greeks built used to enter the city of Troy and win the 10 year Trojan war - 4th Century story
Cartography A trap street (passive honeypot) is a fictitious entry in the form of a misrepresented street for the purpose of trapping potential copyright violators
Tempting - moneypot
All minehelliphelliphellip
Ooops
Honeypot Principle
Focus on detecting threats Here wersquod like to know immediately someone has broken into the network
and in places they shouldnrsquot be
Ensure the honeypot looks appealing to the attacker The honeypot must look legitimate amp enticing
In this attack scenario the defender has particular advantage Once attackers initially land inside your internal network theyrsquore at a
disadvantage They donrsquot know the lay of the land and they need to explore it (reconnaissance) while remaining hidden
Defence through Deception
Deception is a highly effective solution for protecting environments used to confuse delay and redirect the enemy
Lured to the Canary Honeypot the attacker will be tricked into engaging with that device and believe they are being successful in their attack
Canary ndash Today and Tomorrow
Canary - great for remote sites but what about our VM data centres
What about integration with established enterprise monitoring frameworks such as Openview CA or Microsoft SCOM
Console management limit on the number of deployed Canaries
Are ldquoCanarytokensrdquo part of tomorrowrsquos planning
Identification amp Authorisation
A new way forward
TokensTokens - In general a token is an object that represents something else such as another object (either physical or virtual) or an abstract concept In computer systems there are a number of types of tokens both hardware and software
In human terms a token of trust can exist between two parties with such levels of trust reinforced through personal introductions with other partiesA token generation amp management platform designed specifically for high security multi-services in public and private clouds
greatly enhances trustworthy information handling
Identification with Passwords Any directory service or managementplatform holding passwords becomes atarget by the attacker for credentialsrsquo theft
Passwords are fundamentally flawed Often easy to guess Are reused across different services Are written down or stored or shared Can be intercepted Are expensive to maintain 29 of all cybercrime is from stolen
passwords
Identification WITHOUT Password
The Problem The password has outlived itrsquos usefulness
Secure Cloudlinkrsquos Response Patented and highly secure tokenised message management
solution assures password redundancy User credentials are not transmitted stored or replicated Secure digital services - a snap for the user
Randomised encrypted key generation ndashno consistent key to be stolen
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
Get back to basics
Fundamentally addressing the Cyber Threat means going back to basics looking again at your organisation and the controls you already have
― Understanding your people ndash what threats do they pose After all there is no patch for stupidity
― Understanding your organisationrsquos information where it is and how it is used
― Identifying the main risks to physical and information assets
― Ensuring that the right measures are adopted to mitigate risk to within acceptable levels ndash balancing cost versus risk
Get back to basics ndash governance foundations
Unless the foundations of good information and security governance are working well any investment in security technology will most likely be wasted Fundamental areas for focus are
― Staff security training and awareness
― Robust oversight and management of third party suppliers
― Software amp hardware patch management
― Intelligent management amp admin of user access
― Clear policies on security acceptable system use and social media
People Process Tools In that order
Get back to basics ndash making it work
For effective and sustainable governance
― Setting maintaining and continuing to evolve the ldquotone at the toprdquo
― Monitoring of information risk management by the Board of Directors
― Ongoing practical and relevant awareness training
― Independent assurance
― Regular risk-based security testing Inside and outside the perimeter
What happens if a security breach occurs
― If a security breach occurs organisations that follow clearly documented plans to reduce the impact of the breach have a much better chance of staying out of the law courts and avoiding punishment
― Most organisations unfortunately dont have good systems for actually managing the problem If a breach occurs the law is really concerned with your behaviour at that point in time You cant unravel the past and pretend the breach didnt occur its what you do from that point on that will determine your culpability
― On top of having well documented systems and procedures organisations need to have clearly defined actions for dealing with a breach and limiting the damage to those affected This is likely to involve multiple disciplines that could include information security specialists IT resources a PR agency legal advice and credit reporting services
― If you adopt an honourable stance from the outset doing the right thing at the right time then your legal team is in a very strong position to defend you to the regulator arguing that youre not the kind of organisation that has the profile that requires all of the effect of the law and therefore the punishment
How to protect organisations from security breaches
― Take some basic steps to build a protective shieldrdquo most notably― Build a single unified security policy
― Ensure information security forms part of any contract initiation
― Make security part of the process when any project is initiated
― Employee adequacy ndash ensure you have processes for handling new employees changes of job and for employees exiting the company show that they were made aware of security requirements
― Third-party assurance ndash have processes in place to guard information held by third parties
― Culture ndash have a managerial structure in place that demonstrates a chain of responsibility for handling security and reporting errors― lsquoTone at the toprsquo
― Shared ownership of good practices
― Openness amp transparency ndash continuous improvement
State of the Nation ndash addressing Cyber RiskFour golden rules our plan is founded upon
Over 75 of attacks exploit failures to put in place basic controls
Get the basics right
You have to prioritize where you spend your money to defend yourself so build a fortress
around your most critical asset
Look after the crown jewels
Invest in understanding who might attack you why and how so that you can anticipate the most likely scenarios and defend those assets that are
most likely to get attacked
Do your homework on your enemies
Security and resilience can affect nearly every part of an organization Strategies to protect IT
security and business resiliency should align with an organizationrsquos broader goals ndash from protecting intellectual property to maximizing productivity to
finding new ways to delight customers
Treat cyber risk as an opportunity to look closely at your business
Solving the big lsquoBoard reporting problemrsquo in cyberJon Hawes Security Intelligence Strategist Panaseer
Cyber security insuranceGraeme Newman Chief Innovation OfficerCFC
Tackling the insider threatGarath Lauder Director CyberseerTed Plumis Vice President of Channels and Corporate Development Exabeam
Social engineering the art of the conRob Shapland Penetration Testing Team Manager First Base Technologies
Cryptography Basics Dr David Weston Lecturer in Computer Science and Information SystemsBirkbeck University of London
Tokens Honeypots Idenitfication Authorisation Services Ray Dalgarno Director CYBERCAST
Trust with ldquoTHISrdquo
TokensHoneypots
Identification Authorisation ServicesThe Confluence
Agenda
Warfare
Attack Surface Attribution Residency Deniability
Honeypots amp Tokens
Identification and Authorisation
Conclusion
WarfareSecurity through obscurity ndash
the reason the armed forces adopt camouflage
NHS Cyber Attacks ndash The Telegraph 1st Nov 2016
ldquohelliphacking is no longer the stuff of spy thrillers and action movies but a clear and present threathelliprdquo
ldquohellipBen Gummer minister for Cabinet says that large quantities of sensitive data held by the NHS and the Government is being targeted by hackershelliprdquo
ldquohellipMinisters will also unveil a Cyber Security Research Institute a virtual collection of UK universities which will work towards making passwords obsoletehelliprdquo
Cyber Fraud
ldquohellipOnline fraudsters stole pound109bn in the UK last yearhelliprdquo
ldquohellip39 (of respondents) questioned by ldquoGet Safe Onlinerdquo said they were a victim of cybercrime but did not report ithelliprdquo
ldquohellip53 received phishing messageshelliprdquo
Extract from The Telegraph 20th October 2016
Cyber Crime is a War ZoneldquoRouse him and learn the principle of his activity or inactivity Force him to reveal himself so as to find out his vulnerable spotsrdquoldquoIf you know the enemy and know yourself you need not fear the results of a hundred battlesrdquo
- Sun Tzu Military General Strategist amp Philosopher 5th Century BC ChinaDeception is a powerful effective but under utilised tool ndash (at least by defenders)
Full range of ldquoeffectsrdquo on adversaries possible through deception
Effects Attacker Defender
Fail to observe
Prevent the defender from detecting the attack Prevent the attacker from discovering their target
Reveal
Trick the defender into providing access Trick the attacker into revealing their presence
Waste Time
Focus the defenderrsquos attention on the wrong aspects of the incident
Focus the attackerrsquos efforts on the wrong target
Deception Effects - Attacker amp Defender
Operation Mincemeat - 1943
Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
Operation Mincemeat - 1943Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
This was accomplished by persuading the Germans that they had by accident intercepted top secret documents giving details of Allied war plans
Attack Surface Attribution Residency
DeniabilityFrom the living room to the boardroom
Attack Surface
From ordinary consumers to a single-office business through the regulatory bodies to the national and global giants
The environment dictates the approach ndash no ldquoSilver Bulletrdquo
Layered security ndash combining multiple mitigating security controls to cost effectively protect resources amp data
Attack AttributionAt which point in the attack do you realise that you have been hacked
TalkTalk DNC Yahoo
There are very few ldquosmoking gunsrdquo visible
Attacks that often begin with broadly targeted phishing that can introduce amp run new binaries on victims networks amp that connect to random internal hosts using exfiltrated credentials can still remain hidden for a year
Examples of Global IT Vendorsrsquo Vulnerabilities
Microsoft Microsoft August (2016) Patch Tuesday included five updates rated
critical out of a total of nine bringing the number of patches for the year-to-date at 103
SAP There are vulnerabilities in almost every SAP module CRM EP and SRM
are leaders among them ERPScan SAP Cyber Threat Report2016
Oracle MICROS (and others) In total more than one million PoS terminals around the world could be
at risk should the attacks prove to have been deeper than the companies are currently publicly admitting
Computing Aug
Dwell TimeResidency
Mandiant reported that attackers on average lurked on a network for 205 days before being discoveredsup1
Microsoft recently reported they place the number at more than 200 days to detect a security breach and 80 days to contain itsup2
1 httpswww2fireeyecomrsfireyeimagesrpt-m-trends-2015pdf2 httpsblogswindowscomwindowsexperience20160301announcing-windows-defender-advanced-threat-protection
Plausible Deniability amp Malware Intrusion
Plausible deniability refers to circumstances where a denial of responsibility or knowledge of wrong doing cannot be proved as true or untrue due to a lack of evidence proving the allegation
It is a basic law for the cheat and the deceiver Be able to offer up an excuse that cannot be disproved easily and that makes sense for the situation
Trickle-down Effects
Increasing rapidity of car-trickle-down yester-yearsrsquo top end car innovations eventually migrate through the models becoming standard options in lower-priced vehicles
This pattern of innovation holds true in virtually every field including cyber- security
Malware as a Service (MaaS) ndash moving from the heavily funded specialist cyber experts down into the mass market
MaaS now commonly available at very low cost through the darknet and sites such TOR I2p
Honeypots amp TokensEvolution Mimicry
Honeypots
Venus Flytrap in Action (triggered honeypot)
Trojan Horse (passive honeypot) Greeks built used to enter the city of Troy and win the 10 year Trojan war - 4th Century story
Cartography A trap street (passive honeypot) is a fictitious entry in the form of a misrepresented street for the purpose of trapping potential copyright violators
Tempting - moneypot
All minehelliphelliphellip
Ooops
Honeypot Principle
Focus on detecting threats Here wersquod like to know immediately someone has broken into the network
and in places they shouldnrsquot be
Ensure the honeypot looks appealing to the attacker The honeypot must look legitimate amp enticing
In this attack scenario the defender has particular advantage Once attackers initially land inside your internal network theyrsquore at a
disadvantage They donrsquot know the lay of the land and they need to explore it (reconnaissance) while remaining hidden
Defence through Deception
Deception is a highly effective solution for protecting environments used to confuse delay and redirect the enemy
Lured to the Canary Honeypot the attacker will be tricked into engaging with that device and believe they are being successful in their attack
Canary ndash Today and Tomorrow
Canary - great for remote sites but what about our VM data centres
What about integration with established enterprise monitoring frameworks such as Openview CA or Microsoft SCOM
Console management limit on the number of deployed Canaries
Are ldquoCanarytokensrdquo part of tomorrowrsquos planning
Identification amp Authorisation
A new way forward
TokensTokens - In general a token is an object that represents something else such as another object (either physical or virtual) or an abstract concept In computer systems there are a number of types of tokens both hardware and software
In human terms a token of trust can exist between two parties with such levels of trust reinforced through personal introductions with other partiesA token generation amp management platform designed specifically for high security multi-services in public and private clouds
greatly enhances trustworthy information handling
Identification with Passwords Any directory service or managementplatform holding passwords becomes atarget by the attacker for credentialsrsquo theft
Passwords are fundamentally flawed Often easy to guess Are reused across different services Are written down or stored or shared Can be intercepted Are expensive to maintain 29 of all cybercrime is from stolen
passwords
Identification WITHOUT Password
The Problem The password has outlived itrsquos usefulness
Secure Cloudlinkrsquos Response Patented and highly secure tokenised message management
solution assures password redundancy User credentials are not transmitted stored or replicated Secure digital services - a snap for the user
Randomised encrypted key generation ndashno consistent key to be stolen
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
Get back to basics ndash governance foundations
Unless the foundations of good information and security governance are working well any investment in security technology will most likely be wasted Fundamental areas for focus are
― Staff security training and awareness
― Robust oversight and management of third party suppliers
― Software amp hardware patch management
― Intelligent management amp admin of user access
― Clear policies on security acceptable system use and social media
People Process Tools In that order
Get back to basics ndash making it work
For effective and sustainable governance
― Setting maintaining and continuing to evolve the ldquotone at the toprdquo
― Monitoring of information risk management by the Board of Directors
― Ongoing practical and relevant awareness training
― Independent assurance
― Regular risk-based security testing Inside and outside the perimeter
What happens if a security breach occurs
― If a security breach occurs organisations that follow clearly documented plans to reduce the impact of the breach have a much better chance of staying out of the law courts and avoiding punishment
― Most organisations unfortunately dont have good systems for actually managing the problem If a breach occurs the law is really concerned with your behaviour at that point in time You cant unravel the past and pretend the breach didnt occur its what you do from that point on that will determine your culpability
― On top of having well documented systems and procedures organisations need to have clearly defined actions for dealing with a breach and limiting the damage to those affected This is likely to involve multiple disciplines that could include information security specialists IT resources a PR agency legal advice and credit reporting services
― If you adopt an honourable stance from the outset doing the right thing at the right time then your legal team is in a very strong position to defend you to the regulator arguing that youre not the kind of organisation that has the profile that requires all of the effect of the law and therefore the punishment
How to protect organisations from security breaches
― Take some basic steps to build a protective shieldrdquo most notably― Build a single unified security policy
― Ensure information security forms part of any contract initiation
― Make security part of the process when any project is initiated
― Employee adequacy ndash ensure you have processes for handling new employees changes of job and for employees exiting the company show that they were made aware of security requirements
― Third-party assurance ndash have processes in place to guard information held by third parties
― Culture ndash have a managerial structure in place that demonstrates a chain of responsibility for handling security and reporting errors― lsquoTone at the toprsquo
― Shared ownership of good practices
― Openness amp transparency ndash continuous improvement
State of the Nation ndash addressing Cyber RiskFour golden rules our plan is founded upon
Over 75 of attacks exploit failures to put in place basic controls
Get the basics right
You have to prioritize where you spend your money to defend yourself so build a fortress
around your most critical asset
Look after the crown jewels
Invest in understanding who might attack you why and how so that you can anticipate the most likely scenarios and defend those assets that are
most likely to get attacked
Do your homework on your enemies
Security and resilience can affect nearly every part of an organization Strategies to protect IT
security and business resiliency should align with an organizationrsquos broader goals ndash from protecting intellectual property to maximizing productivity to
finding new ways to delight customers
Treat cyber risk as an opportunity to look closely at your business
Solving the big lsquoBoard reporting problemrsquo in cyberJon Hawes Security Intelligence Strategist Panaseer
Cyber security insuranceGraeme Newman Chief Innovation OfficerCFC
Tackling the insider threatGarath Lauder Director CyberseerTed Plumis Vice President of Channels and Corporate Development Exabeam
Social engineering the art of the conRob Shapland Penetration Testing Team Manager First Base Technologies
Cryptography Basics Dr David Weston Lecturer in Computer Science and Information SystemsBirkbeck University of London
Tokens Honeypots Idenitfication Authorisation Services Ray Dalgarno Director CYBERCAST
Trust with ldquoTHISrdquo
TokensHoneypots
Identification Authorisation ServicesThe Confluence
Agenda
Warfare
Attack Surface Attribution Residency Deniability
Honeypots amp Tokens
Identification and Authorisation
Conclusion
WarfareSecurity through obscurity ndash
the reason the armed forces adopt camouflage
NHS Cyber Attacks ndash The Telegraph 1st Nov 2016
ldquohelliphacking is no longer the stuff of spy thrillers and action movies but a clear and present threathelliprdquo
ldquohellipBen Gummer minister for Cabinet says that large quantities of sensitive data held by the NHS and the Government is being targeted by hackershelliprdquo
ldquohellipMinisters will also unveil a Cyber Security Research Institute a virtual collection of UK universities which will work towards making passwords obsoletehelliprdquo
Cyber Fraud
ldquohellipOnline fraudsters stole pound109bn in the UK last yearhelliprdquo
ldquohellip39 (of respondents) questioned by ldquoGet Safe Onlinerdquo said they were a victim of cybercrime but did not report ithelliprdquo
ldquohellip53 received phishing messageshelliprdquo
Extract from The Telegraph 20th October 2016
Cyber Crime is a War ZoneldquoRouse him and learn the principle of his activity or inactivity Force him to reveal himself so as to find out his vulnerable spotsrdquoldquoIf you know the enemy and know yourself you need not fear the results of a hundred battlesrdquo
- Sun Tzu Military General Strategist amp Philosopher 5th Century BC ChinaDeception is a powerful effective but under utilised tool ndash (at least by defenders)
Full range of ldquoeffectsrdquo on adversaries possible through deception
Effects Attacker Defender
Fail to observe
Prevent the defender from detecting the attack Prevent the attacker from discovering their target
Reveal
Trick the defender into providing access Trick the attacker into revealing their presence
Waste Time
Focus the defenderrsquos attention on the wrong aspects of the incident
Focus the attackerrsquos efforts on the wrong target
Deception Effects - Attacker amp Defender
Operation Mincemeat - 1943
Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
Operation Mincemeat - 1943Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
This was accomplished by persuading the Germans that they had by accident intercepted top secret documents giving details of Allied war plans
Attack Surface Attribution Residency
DeniabilityFrom the living room to the boardroom
Attack Surface
From ordinary consumers to a single-office business through the regulatory bodies to the national and global giants
The environment dictates the approach ndash no ldquoSilver Bulletrdquo
Layered security ndash combining multiple mitigating security controls to cost effectively protect resources amp data
Attack AttributionAt which point in the attack do you realise that you have been hacked
TalkTalk DNC Yahoo
There are very few ldquosmoking gunsrdquo visible
Attacks that often begin with broadly targeted phishing that can introduce amp run new binaries on victims networks amp that connect to random internal hosts using exfiltrated credentials can still remain hidden for a year
Examples of Global IT Vendorsrsquo Vulnerabilities
Microsoft Microsoft August (2016) Patch Tuesday included five updates rated
critical out of a total of nine bringing the number of patches for the year-to-date at 103
SAP There are vulnerabilities in almost every SAP module CRM EP and SRM
are leaders among them ERPScan SAP Cyber Threat Report2016
Oracle MICROS (and others) In total more than one million PoS terminals around the world could be
at risk should the attacks prove to have been deeper than the companies are currently publicly admitting
Computing Aug
Dwell TimeResidency
Mandiant reported that attackers on average lurked on a network for 205 days before being discoveredsup1
Microsoft recently reported they place the number at more than 200 days to detect a security breach and 80 days to contain itsup2
1 httpswww2fireeyecomrsfireyeimagesrpt-m-trends-2015pdf2 httpsblogswindowscomwindowsexperience20160301announcing-windows-defender-advanced-threat-protection
Plausible Deniability amp Malware Intrusion
Plausible deniability refers to circumstances where a denial of responsibility or knowledge of wrong doing cannot be proved as true or untrue due to a lack of evidence proving the allegation
It is a basic law for the cheat and the deceiver Be able to offer up an excuse that cannot be disproved easily and that makes sense for the situation
Trickle-down Effects
Increasing rapidity of car-trickle-down yester-yearsrsquo top end car innovations eventually migrate through the models becoming standard options in lower-priced vehicles
This pattern of innovation holds true in virtually every field including cyber- security
Malware as a Service (MaaS) ndash moving from the heavily funded specialist cyber experts down into the mass market
MaaS now commonly available at very low cost through the darknet and sites such TOR I2p
Honeypots amp TokensEvolution Mimicry
Honeypots
Venus Flytrap in Action (triggered honeypot)
Trojan Horse (passive honeypot) Greeks built used to enter the city of Troy and win the 10 year Trojan war - 4th Century story
Cartography A trap street (passive honeypot) is a fictitious entry in the form of a misrepresented street for the purpose of trapping potential copyright violators
Tempting - moneypot
All minehelliphelliphellip
Ooops
Honeypot Principle
Focus on detecting threats Here wersquod like to know immediately someone has broken into the network
and in places they shouldnrsquot be
Ensure the honeypot looks appealing to the attacker The honeypot must look legitimate amp enticing
In this attack scenario the defender has particular advantage Once attackers initially land inside your internal network theyrsquore at a
disadvantage They donrsquot know the lay of the land and they need to explore it (reconnaissance) while remaining hidden
Defence through Deception
Deception is a highly effective solution for protecting environments used to confuse delay and redirect the enemy
Lured to the Canary Honeypot the attacker will be tricked into engaging with that device and believe they are being successful in their attack
Canary ndash Today and Tomorrow
Canary - great for remote sites but what about our VM data centres
What about integration with established enterprise monitoring frameworks such as Openview CA or Microsoft SCOM
Console management limit on the number of deployed Canaries
Are ldquoCanarytokensrdquo part of tomorrowrsquos planning
Identification amp Authorisation
A new way forward
TokensTokens - In general a token is an object that represents something else such as another object (either physical or virtual) or an abstract concept In computer systems there are a number of types of tokens both hardware and software
In human terms a token of trust can exist between two parties with such levels of trust reinforced through personal introductions with other partiesA token generation amp management platform designed specifically for high security multi-services in public and private clouds
greatly enhances trustworthy information handling
Identification with Passwords Any directory service or managementplatform holding passwords becomes atarget by the attacker for credentialsrsquo theft
Passwords are fundamentally flawed Often easy to guess Are reused across different services Are written down or stored or shared Can be intercepted Are expensive to maintain 29 of all cybercrime is from stolen
passwords
Identification WITHOUT Password
The Problem The password has outlived itrsquos usefulness
Secure Cloudlinkrsquos Response Patented and highly secure tokenised message management
solution assures password redundancy User credentials are not transmitted stored or replicated Secure digital services - a snap for the user
Randomised encrypted key generation ndashno consistent key to be stolen
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
Get back to basics ndash making it work
For effective and sustainable governance
― Setting maintaining and continuing to evolve the ldquotone at the toprdquo
― Monitoring of information risk management by the Board of Directors
― Ongoing practical and relevant awareness training
― Independent assurance
― Regular risk-based security testing Inside and outside the perimeter
What happens if a security breach occurs
― If a security breach occurs organisations that follow clearly documented plans to reduce the impact of the breach have a much better chance of staying out of the law courts and avoiding punishment
― Most organisations unfortunately dont have good systems for actually managing the problem If a breach occurs the law is really concerned with your behaviour at that point in time You cant unravel the past and pretend the breach didnt occur its what you do from that point on that will determine your culpability
― On top of having well documented systems and procedures organisations need to have clearly defined actions for dealing with a breach and limiting the damage to those affected This is likely to involve multiple disciplines that could include information security specialists IT resources a PR agency legal advice and credit reporting services
― If you adopt an honourable stance from the outset doing the right thing at the right time then your legal team is in a very strong position to defend you to the regulator arguing that youre not the kind of organisation that has the profile that requires all of the effect of the law and therefore the punishment
How to protect organisations from security breaches
― Take some basic steps to build a protective shieldrdquo most notably― Build a single unified security policy
― Ensure information security forms part of any contract initiation
― Make security part of the process when any project is initiated
― Employee adequacy ndash ensure you have processes for handling new employees changes of job and for employees exiting the company show that they were made aware of security requirements
― Third-party assurance ndash have processes in place to guard information held by third parties
― Culture ndash have a managerial structure in place that demonstrates a chain of responsibility for handling security and reporting errors― lsquoTone at the toprsquo
― Shared ownership of good practices
― Openness amp transparency ndash continuous improvement
State of the Nation ndash addressing Cyber RiskFour golden rules our plan is founded upon
Over 75 of attacks exploit failures to put in place basic controls
Get the basics right
You have to prioritize where you spend your money to defend yourself so build a fortress
around your most critical asset
Look after the crown jewels
Invest in understanding who might attack you why and how so that you can anticipate the most likely scenarios and defend those assets that are
most likely to get attacked
Do your homework on your enemies
Security and resilience can affect nearly every part of an organization Strategies to protect IT
security and business resiliency should align with an organizationrsquos broader goals ndash from protecting intellectual property to maximizing productivity to
finding new ways to delight customers
Treat cyber risk as an opportunity to look closely at your business
Solving the big lsquoBoard reporting problemrsquo in cyberJon Hawes Security Intelligence Strategist Panaseer
Cyber security insuranceGraeme Newman Chief Innovation OfficerCFC
Tackling the insider threatGarath Lauder Director CyberseerTed Plumis Vice President of Channels and Corporate Development Exabeam
Social engineering the art of the conRob Shapland Penetration Testing Team Manager First Base Technologies
Cryptography Basics Dr David Weston Lecturer in Computer Science and Information SystemsBirkbeck University of London
Tokens Honeypots Idenitfication Authorisation Services Ray Dalgarno Director CYBERCAST
Trust with ldquoTHISrdquo
TokensHoneypots
Identification Authorisation ServicesThe Confluence
Agenda
Warfare
Attack Surface Attribution Residency Deniability
Honeypots amp Tokens
Identification and Authorisation
Conclusion
WarfareSecurity through obscurity ndash
the reason the armed forces adopt camouflage
NHS Cyber Attacks ndash The Telegraph 1st Nov 2016
ldquohelliphacking is no longer the stuff of spy thrillers and action movies but a clear and present threathelliprdquo
ldquohellipBen Gummer minister for Cabinet says that large quantities of sensitive data held by the NHS and the Government is being targeted by hackershelliprdquo
ldquohellipMinisters will also unveil a Cyber Security Research Institute a virtual collection of UK universities which will work towards making passwords obsoletehelliprdquo
Cyber Fraud
ldquohellipOnline fraudsters stole pound109bn in the UK last yearhelliprdquo
ldquohellip39 (of respondents) questioned by ldquoGet Safe Onlinerdquo said they were a victim of cybercrime but did not report ithelliprdquo
ldquohellip53 received phishing messageshelliprdquo
Extract from The Telegraph 20th October 2016
Cyber Crime is a War ZoneldquoRouse him and learn the principle of his activity or inactivity Force him to reveal himself so as to find out his vulnerable spotsrdquoldquoIf you know the enemy and know yourself you need not fear the results of a hundred battlesrdquo
- Sun Tzu Military General Strategist amp Philosopher 5th Century BC ChinaDeception is a powerful effective but under utilised tool ndash (at least by defenders)
Full range of ldquoeffectsrdquo on adversaries possible through deception
Effects Attacker Defender
Fail to observe
Prevent the defender from detecting the attack Prevent the attacker from discovering their target
Reveal
Trick the defender into providing access Trick the attacker into revealing their presence
Waste Time
Focus the defenderrsquos attention on the wrong aspects of the incident
Focus the attackerrsquos efforts on the wrong target
Deception Effects - Attacker amp Defender
Operation Mincemeat - 1943
Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
Operation Mincemeat - 1943Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
This was accomplished by persuading the Germans that they had by accident intercepted top secret documents giving details of Allied war plans
Attack Surface Attribution Residency
DeniabilityFrom the living room to the boardroom
Attack Surface
From ordinary consumers to a single-office business through the regulatory bodies to the national and global giants
The environment dictates the approach ndash no ldquoSilver Bulletrdquo
Layered security ndash combining multiple mitigating security controls to cost effectively protect resources amp data
Attack AttributionAt which point in the attack do you realise that you have been hacked
TalkTalk DNC Yahoo
There are very few ldquosmoking gunsrdquo visible
Attacks that often begin with broadly targeted phishing that can introduce amp run new binaries on victims networks amp that connect to random internal hosts using exfiltrated credentials can still remain hidden for a year
Examples of Global IT Vendorsrsquo Vulnerabilities
Microsoft Microsoft August (2016) Patch Tuesday included five updates rated
critical out of a total of nine bringing the number of patches for the year-to-date at 103
SAP There are vulnerabilities in almost every SAP module CRM EP and SRM
are leaders among them ERPScan SAP Cyber Threat Report2016
Oracle MICROS (and others) In total more than one million PoS terminals around the world could be
at risk should the attacks prove to have been deeper than the companies are currently publicly admitting
Computing Aug
Dwell TimeResidency
Mandiant reported that attackers on average lurked on a network for 205 days before being discoveredsup1
Microsoft recently reported they place the number at more than 200 days to detect a security breach and 80 days to contain itsup2
1 httpswww2fireeyecomrsfireyeimagesrpt-m-trends-2015pdf2 httpsblogswindowscomwindowsexperience20160301announcing-windows-defender-advanced-threat-protection
Plausible Deniability amp Malware Intrusion
Plausible deniability refers to circumstances where a denial of responsibility or knowledge of wrong doing cannot be proved as true or untrue due to a lack of evidence proving the allegation
It is a basic law for the cheat and the deceiver Be able to offer up an excuse that cannot be disproved easily and that makes sense for the situation
Trickle-down Effects
Increasing rapidity of car-trickle-down yester-yearsrsquo top end car innovations eventually migrate through the models becoming standard options in lower-priced vehicles
This pattern of innovation holds true in virtually every field including cyber- security
Malware as a Service (MaaS) ndash moving from the heavily funded specialist cyber experts down into the mass market
MaaS now commonly available at very low cost through the darknet and sites such TOR I2p
Honeypots amp TokensEvolution Mimicry
Honeypots
Venus Flytrap in Action (triggered honeypot)
Trojan Horse (passive honeypot) Greeks built used to enter the city of Troy and win the 10 year Trojan war - 4th Century story
Cartography A trap street (passive honeypot) is a fictitious entry in the form of a misrepresented street for the purpose of trapping potential copyright violators
Tempting - moneypot
All minehelliphelliphellip
Ooops
Honeypot Principle
Focus on detecting threats Here wersquod like to know immediately someone has broken into the network
and in places they shouldnrsquot be
Ensure the honeypot looks appealing to the attacker The honeypot must look legitimate amp enticing
In this attack scenario the defender has particular advantage Once attackers initially land inside your internal network theyrsquore at a
disadvantage They donrsquot know the lay of the land and they need to explore it (reconnaissance) while remaining hidden
Defence through Deception
Deception is a highly effective solution for protecting environments used to confuse delay and redirect the enemy
Lured to the Canary Honeypot the attacker will be tricked into engaging with that device and believe they are being successful in their attack
Canary ndash Today and Tomorrow
Canary - great for remote sites but what about our VM data centres
What about integration with established enterprise monitoring frameworks such as Openview CA or Microsoft SCOM
Console management limit on the number of deployed Canaries
Are ldquoCanarytokensrdquo part of tomorrowrsquos planning
Identification amp Authorisation
A new way forward
TokensTokens - In general a token is an object that represents something else such as another object (either physical or virtual) or an abstract concept In computer systems there are a number of types of tokens both hardware and software
In human terms a token of trust can exist between two parties with such levels of trust reinforced through personal introductions with other partiesA token generation amp management platform designed specifically for high security multi-services in public and private clouds
greatly enhances trustworthy information handling
Identification with Passwords Any directory service or managementplatform holding passwords becomes atarget by the attacker for credentialsrsquo theft
Passwords are fundamentally flawed Often easy to guess Are reused across different services Are written down or stored or shared Can be intercepted Are expensive to maintain 29 of all cybercrime is from stolen
passwords
Identification WITHOUT Password
The Problem The password has outlived itrsquos usefulness
Secure Cloudlinkrsquos Response Patented and highly secure tokenised message management
solution assures password redundancy User credentials are not transmitted stored or replicated Secure digital services - a snap for the user
Randomised encrypted key generation ndashno consistent key to be stolen
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
What happens if a security breach occurs
― If a security breach occurs organisations that follow clearly documented plans to reduce the impact of the breach have a much better chance of staying out of the law courts and avoiding punishment
― Most organisations unfortunately dont have good systems for actually managing the problem If a breach occurs the law is really concerned with your behaviour at that point in time You cant unravel the past and pretend the breach didnt occur its what you do from that point on that will determine your culpability
― On top of having well documented systems and procedures organisations need to have clearly defined actions for dealing with a breach and limiting the damage to those affected This is likely to involve multiple disciplines that could include information security specialists IT resources a PR agency legal advice and credit reporting services
― If you adopt an honourable stance from the outset doing the right thing at the right time then your legal team is in a very strong position to defend you to the regulator arguing that youre not the kind of organisation that has the profile that requires all of the effect of the law and therefore the punishment
How to protect organisations from security breaches
― Take some basic steps to build a protective shieldrdquo most notably― Build a single unified security policy
― Ensure information security forms part of any contract initiation
― Make security part of the process when any project is initiated
― Employee adequacy ndash ensure you have processes for handling new employees changes of job and for employees exiting the company show that they were made aware of security requirements
― Third-party assurance ndash have processes in place to guard information held by third parties
― Culture ndash have a managerial structure in place that demonstrates a chain of responsibility for handling security and reporting errors― lsquoTone at the toprsquo
― Shared ownership of good practices
― Openness amp transparency ndash continuous improvement
State of the Nation ndash addressing Cyber RiskFour golden rules our plan is founded upon
Over 75 of attacks exploit failures to put in place basic controls
Get the basics right
You have to prioritize where you spend your money to defend yourself so build a fortress
around your most critical asset
Look after the crown jewels
Invest in understanding who might attack you why and how so that you can anticipate the most likely scenarios and defend those assets that are
most likely to get attacked
Do your homework on your enemies
Security and resilience can affect nearly every part of an organization Strategies to protect IT
security and business resiliency should align with an organizationrsquos broader goals ndash from protecting intellectual property to maximizing productivity to
finding new ways to delight customers
Treat cyber risk as an opportunity to look closely at your business
Solving the big lsquoBoard reporting problemrsquo in cyberJon Hawes Security Intelligence Strategist Panaseer
Cyber security insuranceGraeme Newman Chief Innovation OfficerCFC
Tackling the insider threatGarath Lauder Director CyberseerTed Plumis Vice President of Channels and Corporate Development Exabeam
Social engineering the art of the conRob Shapland Penetration Testing Team Manager First Base Technologies
Cryptography Basics Dr David Weston Lecturer in Computer Science and Information SystemsBirkbeck University of London
Tokens Honeypots Idenitfication Authorisation Services Ray Dalgarno Director CYBERCAST
Trust with ldquoTHISrdquo
TokensHoneypots
Identification Authorisation ServicesThe Confluence
Agenda
Warfare
Attack Surface Attribution Residency Deniability
Honeypots amp Tokens
Identification and Authorisation
Conclusion
WarfareSecurity through obscurity ndash
the reason the armed forces adopt camouflage
NHS Cyber Attacks ndash The Telegraph 1st Nov 2016
ldquohelliphacking is no longer the stuff of spy thrillers and action movies but a clear and present threathelliprdquo
ldquohellipBen Gummer minister for Cabinet says that large quantities of sensitive data held by the NHS and the Government is being targeted by hackershelliprdquo
ldquohellipMinisters will also unveil a Cyber Security Research Institute a virtual collection of UK universities which will work towards making passwords obsoletehelliprdquo
Cyber Fraud
ldquohellipOnline fraudsters stole pound109bn in the UK last yearhelliprdquo
ldquohellip39 (of respondents) questioned by ldquoGet Safe Onlinerdquo said they were a victim of cybercrime but did not report ithelliprdquo
ldquohellip53 received phishing messageshelliprdquo
Extract from The Telegraph 20th October 2016
Cyber Crime is a War ZoneldquoRouse him and learn the principle of his activity or inactivity Force him to reveal himself so as to find out his vulnerable spotsrdquoldquoIf you know the enemy and know yourself you need not fear the results of a hundred battlesrdquo
- Sun Tzu Military General Strategist amp Philosopher 5th Century BC ChinaDeception is a powerful effective but under utilised tool ndash (at least by defenders)
Full range of ldquoeffectsrdquo on adversaries possible through deception
Effects Attacker Defender
Fail to observe
Prevent the defender from detecting the attack Prevent the attacker from discovering their target
Reveal
Trick the defender into providing access Trick the attacker into revealing their presence
Waste Time
Focus the defenderrsquos attention on the wrong aspects of the incident
Focus the attackerrsquos efforts on the wrong target
Deception Effects - Attacker amp Defender
Operation Mincemeat - 1943
Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
Operation Mincemeat - 1943Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
This was accomplished by persuading the Germans that they had by accident intercepted top secret documents giving details of Allied war plans
Attack Surface Attribution Residency
DeniabilityFrom the living room to the boardroom
Attack Surface
From ordinary consumers to a single-office business through the regulatory bodies to the national and global giants
The environment dictates the approach ndash no ldquoSilver Bulletrdquo
Layered security ndash combining multiple mitigating security controls to cost effectively protect resources amp data
Attack AttributionAt which point in the attack do you realise that you have been hacked
TalkTalk DNC Yahoo
There are very few ldquosmoking gunsrdquo visible
Attacks that often begin with broadly targeted phishing that can introduce amp run new binaries on victims networks amp that connect to random internal hosts using exfiltrated credentials can still remain hidden for a year
Examples of Global IT Vendorsrsquo Vulnerabilities
Microsoft Microsoft August (2016) Patch Tuesday included five updates rated
critical out of a total of nine bringing the number of patches for the year-to-date at 103
SAP There are vulnerabilities in almost every SAP module CRM EP and SRM
are leaders among them ERPScan SAP Cyber Threat Report2016
Oracle MICROS (and others) In total more than one million PoS terminals around the world could be
at risk should the attacks prove to have been deeper than the companies are currently publicly admitting
Computing Aug
Dwell TimeResidency
Mandiant reported that attackers on average lurked on a network for 205 days before being discoveredsup1
Microsoft recently reported they place the number at more than 200 days to detect a security breach and 80 days to contain itsup2
1 httpswww2fireeyecomrsfireyeimagesrpt-m-trends-2015pdf2 httpsblogswindowscomwindowsexperience20160301announcing-windows-defender-advanced-threat-protection
Plausible Deniability amp Malware Intrusion
Plausible deniability refers to circumstances where a denial of responsibility or knowledge of wrong doing cannot be proved as true or untrue due to a lack of evidence proving the allegation
It is a basic law for the cheat and the deceiver Be able to offer up an excuse that cannot be disproved easily and that makes sense for the situation
Trickle-down Effects
Increasing rapidity of car-trickle-down yester-yearsrsquo top end car innovations eventually migrate through the models becoming standard options in lower-priced vehicles
This pattern of innovation holds true in virtually every field including cyber- security
Malware as a Service (MaaS) ndash moving from the heavily funded specialist cyber experts down into the mass market
MaaS now commonly available at very low cost through the darknet and sites such TOR I2p
Honeypots amp TokensEvolution Mimicry
Honeypots
Venus Flytrap in Action (triggered honeypot)
Trojan Horse (passive honeypot) Greeks built used to enter the city of Troy and win the 10 year Trojan war - 4th Century story
Cartography A trap street (passive honeypot) is a fictitious entry in the form of a misrepresented street for the purpose of trapping potential copyright violators
Tempting - moneypot
All minehelliphelliphellip
Ooops
Honeypot Principle
Focus on detecting threats Here wersquod like to know immediately someone has broken into the network
and in places they shouldnrsquot be
Ensure the honeypot looks appealing to the attacker The honeypot must look legitimate amp enticing
In this attack scenario the defender has particular advantage Once attackers initially land inside your internal network theyrsquore at a
disadvantage They donrsquot know the lay of the land and they need to explore it (reconnaissance) while remaining hidden
Defence through Deception
Deception is a highly effective solution for protecting environments used to confuse delay and redirect the enemy
Lured to the Canary Honeypot the attacker will be tricked into engaging with that device and believe they are being successful in their attack
Canary ndash Today and Tomorrow
Canary - great for remote sites but what about our VM data centres
What about integration with established enterprise monitoring frameworks such as Openview CA or Microsoft SCOM
Console management limit on the number of deployed Canaries
Are ldquoCanarytokensrdquo part of tomorrowrsquos planning
Identification amp Authorisation
A new way forward
TokensTokens - In general a token is an object that represents something else such as another object (either physical or virtual) or an abstract concept In computer systems there are a number of types of tokens both hardware and software
In human terms a token of trust can exist between two parties with such levels of trust reinforced through personal introductions with other partiesA token generation amp management platform designed specifically for high security multi-services in public and private clouds
greatly enhances trustworthy information handling
Identification with Passwords Any directory service or managementplatform holding passwords becomes atarget by the attacker for credentialsrsquo theft
Passwords are fundamentally flawed Often easy to guess Are reused across different services Are written down or stored or shared Can be intercepted Are expensive to maintain 29 of all cybercrime is from stolen
passwords
Identification WITHOUT Password
The Problem The password has outlived itrsquos usefulness
Secure Cloudlinkrsquos Response Patented and highly secure tokenised message management
solution assures password redundancy User credentials are not transmitted stored or replicated Secure digital services - a snap for the user
Randomised encrypted key generation ndashno consistent key to be stolen
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
How to protect organisations from security breaches
― Take some basic steps to build a protective shieldrdquo most notably― Build a single unified security policy
― Ensure information security forms part of any contract initiation
― Make security part of the process when any project is initiated
― Employee adequacy ndash ensure you have processes for handling new employees changes of job and for employees exiting the company show that they were made aware of security requirements
― Third-party assurance ndash have processes in place to guard information held by third parties
― Culture ndash have a managerial structure in place that demonstrates a chain of responsibility for handling security and reporting errors― lsquoTone at the toprsquo
― Shared ownership of good practices
― Openness amp transparency ndash continuous improvement
State of the Nation ndash addressing Cyber RiskFour golden rules our plan is founded upon
Over 75 of attacks exploit failures to put in place basic controls
Get the basics right
You have to prioritize where you spend your money to defend yourself so build a fortress
around your most critical asset
Look after the crown jewels
Invest in understanding who might attack you why and how so that you can anticipate the most likely scenarios and defend those assets that are
most likely to get attacked
Do your homework on your enemies
Security and resilience can affect nearly every part of an organization Strategies to protect IT
security and business resiliency should align with an organizationrsquos broader goals ndash from protecting intellectual property to maximizing productivity to
finding new ways to delight customers
Treat cyber risk as an opportunity to look closely at your business
Solving the big lsquoBoard reporting problemrsquo in cyberJon Hawes Security Intelligence Strategist Panaseer
Cyber security insuranceGraeme Newman Chief Innovation OfficerCFC
Tackling the insider threatGarath Lauder Director CyberseerTed Plumis Vice President of Channels and Corporate Development Exabeam
Social engineering the art of the conRob Shapland Penetration Testing Team Manager First Base Technologies
Cryptography Basics Dr David Weston Lecturer in Computer Science and Information SystemsBirkbeck University of London
Tokens Honeypots Idenitfication Authorisation Services Ray Dalgarno Director CYBERCAST
Trust with ldquoTHISrdquo
TokensHoneypots
Identification Authorisation ServicesThe Confluence
Agenda
Warfare
Attack Surface Attribution Residency Deniability
Honeypots amp Tokens
Identification and Authorisation
Conclusion
WarfareSecurity through obscurity ndash
the reason the armed forces adopt camouflage
NHS Cyber Attacks ndash The Telegraph 1st Nov 2016
ldquohelliphacking is no longer the stuff of spy thrillers and action movies but a clear and present threathelliprdquo
ldquohellipBen Gummer minister for Cabinet says that large quantities of sensitive data held by the NHS and the Government is being targeted by hackershelliprdquo
ldquohellipMinisters will also unveil a Cyber Security Research Institute a virtual collection of UK universities which will work towards making passwords obsoletehelliprdquo
Cyber Fraud
ldquohellipOnline fraudsters stole pound109bn in the UK last yearhelliprdquo
ldquohellip39 (of respondents) questioned by ldquoGet Safe Onlinerdquo said they were a victim of cybercrime but did not report ithelliprdquo
ldquohellip53 received phishing messageshelliprdquo
Extract from The Telegraph 20th October 2016
Cyber Crime is a War ZoneldquoRouse him and learn the principle of his activity or inactivity Force him to reveal himself so as to find out his vulnerable spotsrdquoldquoIf you know the enemy and know yourself you need not fear the results of a hundred battlesrdquo
- Sun Tzu Military General Strategist amp Philosopher 5th Century BC ChinaDeception is a powerful effective but under utilised tool ndash (at least by defenders)
Full range of ldquoeffectsrdquo on adversaries possible through deception
Effects Attacker Defender
Fail to observe
Prevent the defender from detecting the attack Prevent the attacker from discovering their target
Reveal
Trick the defender into providing access Trick the attacker into revealing their presence
Waste Time
Focus the defenderrsquos attention on the wrong aspects of the incident
Focus the attackerrsquos efforts on the wrong target
Deception Effects - Attacker amp Defender
Operation Mincemeat - 1943
Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
Operation Mincemeat - 1943Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
This was accomplished by persuading the Germans that they had by accident intercepted top secret documents giving details of Allied war plans
Attack Surface Attribution Residency
DeniabilityFrom the living room to the boardroom
Attack Surface
From ordinary consumers to a single-office business through the regulatory bodies to the national and global giants
The environment dictates the approach ndash no ldquoSilver Bulletrdquo
Layered security ndash combining multiple mitigating security controls to cost effectively protect resources amp data
Attack AttributionAt which point in the attack do you realise that you have been hacked
TalkTalk DNC Yahoo
There are very few ldquosmoking gunsrdquo visible
Attacks that often begin with broadly targeted phishing that can introduce amp run new binaries on victims networks amp that connect to random internal hosts using exfiltrated credentials can still remain hidden for a year
Examples of Global IT Vendorsrsquo Vulnerabilities
Microsoft Microsoft August (2016) Patch Tuesday included five updates rated
critical out of a total of nine bringing the number of patches for the year-to-date at 103
SAP There are vulnerabilities in almost every SAP module CRM EP and SRM
are leaders among them ERPScan SAP Cyber Threat Report2016
Oracle MICROS (and others) In total more than one million PoS terminals around the world could be
at risk should the attacks prove to have been deeper than the companies are currently publicly admitting
Computing Aug
Dwell TimeResidency
Mandiant reported that attackers on average lurked on a network for 205 days before being discoveredsup1
Microsoft recently reported they place the number at more than 200 days to detect a security breach and 80 days to contain itsup2
1 httpswww2fireeyecomrsfireyeimagesrpt-m-trends-2015pdf2 httpsblogswindowscomwindowsexperience20160301announcing-windows-defender-advanced-threat-protection
Plausible Deniability amp Malware Intrusion
Plausible deniability refers to circumstances where a denial of responsibility or knowledge of wrong doing cannot be proved as true or untrue due to a lack of evidence proving the allegation
It is a basic law for the cheat and the deceiver Be able to offer up an excuse that cannot be disproved easily and that makes sense for the situation
Trickle-down Effects
Increasing rapidity of car-trickle-down yester-yearsrsquo top end car innovations eventually migrate through the models becoming standard options in lower-priced vehicles
This pattern of innovation holds true in virtually every field including cyber- security
Malware as a Service (MaaS) ndash moving from the heavily funded specialist cyber experts down into the mass market
MaaS now commonly available at very low cost through the darknet and sites such TOR I2p
Honeypots amp TokensEvolution Mimicry
Honeypots
Venus Flytrap in Action (triggered honeypot)
Trojan Horse (passive honeypot) Greeks built used to enter the city of Troy and win the 10 year Trojan war - 4th Century story
Cartography A trap street (passive honeypot) is a fictitious entry in the form of a misrepresented street for the purpose of trapping potential copyright violators
Tempting - moneypot
All minehelliphelliphellip
Ooops
Honeypot Principle
Focus on detecting threats Here wersquod like to know immediately someone has broken into the network
and in places they shouldnrsquot be
Ensure the honeypot looks appealing to the attacker The honeypot must look legitimate amp enticing
In this attack scenario the defender has particular advantage Once attackers initially land inside your internal network theyrsquore at a
disadvantage They donrsquot know the lay of the land and they need to explore it (reconnaissance) while remaining hidden
Defence through Deception
Deception is a highly effective solution for protecting environments used to confuse delay and redirect the enemy
Lured to the Canary Honeypot the attacker will be tricked into engaging with that device and believe they are being successful in their attack
Canary ndash Today and Tomorrow
Canary - great for remote sites but what about our VM data centres
What about integration with established enterprise monitoring frameworks such as Openview CA or Microsoft SCOM
Console management limit on the number of deployed Canaries
Are ldquoCanarytokensrdquo part of tomorrowrsquos planning
Identification amp Authorisation
A new way forward
TokensTokens - In general a token is an object that represents something else such as another object (either physical or virtual) or an abstract concept In computer systems there are a number of types of tokens both hardware and software
In human terms a token of trust can exist between two parties with such levels of trust reinforced through personal introductions with other partiesA token generation amp management platform designed specifically for high security multi-services in public and private clouds
greatly enhances trustworthy information handling
Identification with Passwords Any directory service or managementplatform holding passwords becomes atarget by the attacker for credentialsrsquo theft
Passwords are fundamentally flawed Often easy to guess Are reused across different services Are written down or stored or shared Can be intercepted Are expensive to maintain 29 of all cybercrime is from stolen
passwords
Identification WITHOUT Password
The Problem The password has outlived itrsquos usefulness
Secure Cloudlinkrsquos Response Patented and highly secure tokenised message management
solution assures password redundancy User credentials are not transmitted stored or replicated Secure digital services - a snap for the user
Randomised encrypted key generation ndashno consistent key to be stolen
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
State of the Nation ndash addressing Cyber RiskFour golden rules our plan is founded upon
Over 75 of attacks exploit failures to put in place basic controls
Get the basics right
You have to prioritize where you spend your money to defend yourself so build a fortress
around your most critical asset
Look after the crown jewels
Invest in understanding who might attack you why and how so that you can anticipate the most likely scenarios and defend those assets that are
most likely to get attacked
Do your homework on your enemies
Security and resilience can affect nearly every part of an organization Strategies to protect IT
security and business resiliency should align with an organizationrsquos broader goals ndash from protecting intellectual property to maximizing productivity to
finding new ways to delight customers
Treat cyber risk as an opportunity to look closely at your business
Solving the big lsquoBoard reporting problemrsquo in cyberJon Hawes Security Intelligence Strategist Panaseer
Cyber security insuranceGraeme Newman Chief Innovation OfficerCFC
Tackling the insider threatGarath Lauder Director CyberseerTed Plumis Vice President of Channels and Corporate Development Exabeam
Social engineering the art of the conRob Shapland Penetration Testing Team Manager First Base Technologies
Cryptography Basics Dr David Weston Lecturer in Computer Science and Information SystemsBirkbeck University of London
Tokens Honeypots Idenitfication Authorisation Services Ray Dalgarno Director CYBERCAST
Trust with ldquoTHISrdquo
TokensHoneypots
Identification Authorisation ServicesThe Confluence
Agenda
Warfare
Attack Surface Attribution Residency Deniability
Honeypots amp Tokens
Identification and Authorisation
Conclusion
WarfareSecurity through obscurity ndash
the reason the armed forces adopt camouflage
NHS Cyber Attacks ndash The Telegraph 1st Nov 2016
ldquohelliphacking is no longer the stuff of spy thrillers and action movies but a clear and present threathelliprdquo
ldquohellipBen Gummer minister for Cabinet says that large quantities of sensitive data held by the NHS and the Government is being targeted by hackershelliprdquo
ldquohellipMinisters will also unveil a Cyber Security Research Institute a virtual collection of UK universities which will work towards making passwords obsoletehelliprdquo
Cyber Fraud
ldquohellipOnline fraudsters stole pound109bn in the UK last yearhelliprdquo
ldquohellip39 (of respondents) questioned by ldquoGet Safe Onlinerdquo said they were a victim of cybercrime but did not report ithelliprdquo
ldquohellip53 received phishing messageshelliprdquo
Extract from The Telegraph 20th October 2016
Cyber Crime is a War ZoneldquoRouse him and learn the principle of his activity or inactivity Force him to reveal himself so as to find out his vulnerable spotsrdquoldquoIf you know the enemy and know yourself you need not fear the results of a hundred battlesrdquo
- Sun Tzu Military General Strategist amp Philosopher 5th Century BC ChinaDeception is a powerful effective but under utilised tool ndash (at least by defenders)
Full range of ldquoeffectsrdquo on adversaries possible through deception
Effects Attacker Defender
Fail to observe
Prevent the defender from detecting the attack Prevent the attacker from discovering their target
Reveal
Trick the defender into providing access Trick the attacker into revealing their presence
Waste Time
Focus the defenderrsquos attention on the wrong aspects of the incident
Focus the attackerrsquos efforts on the wrong target
Deception Effects - Attacker amp Defender
Operation Mincemeat - 1943
Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
Operation Mincemeat - 1943Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
This was accomplished by persuading the Germans that they had by accident intercepted top secret documents giving details of Allied war plans
Attack Surface Attribution Residency
DeniabilityFrom the living room to the boardroom
Attack Surface
From ordinary consumers to a single-office business through the regulatory bodies to the national and global giants
The environment dictates the approach ndash no ldquoSilver Bulletrdquo
Layered security ndash combining multiple mitigating security controls to cost effectively protect resources amp data
Attack AttributionAt which point in the attack do you realise that you have been hacked
TalkTalk DNC Yahoo
There are very few ldquosmoking gunsrdquo visible
Attacks that often begin with broadly targeted phishing that can introduce amp run new binaries on victims networks amp that connect to random internal hosts using exfiltrated credentials can still remain hidden for a year
Examples of Global IT Vendorsrsquo Vulnerabilities
Microsoft Microsoft August (2016) Patch Tuesday included five updates rated
critical out of a total of nine bringing the number of patches for the year-to-date at 103
SAP There are vulnerabilities in almost every SAP module CRM EP and SRM
are leaders among them ERPScan SAP Cyber Threat Report2016
Oracle MICROS (and others) In total more than one million PoS terminals around the world could be
at risk should the attacks prove to have been deeper than the companies are currently publicly admitting
Computing Aug
Dwell TimeResidency
Mandiant reported that attackers on average lurked on a network for 205 days before being discoveredsup1
Microsoft recently reported they place the number at more than 200 days to detect a security breach and 80 days to contain itsup2
1 httpswww2fireeyecomrsfireyeimagesrpt-m-trends-2015pdf2 httpsblogswindowscomwindowsexperience20160301announcing-windows-defender-advanced-threat-protection
Plausible Deniability amp Malware Intrusion
Plausible deniability refers to circumstances where a denial of responsibility or knowledge of wrong doing cannot be proved as true or untrue due to a lack of evidence proving the allegation
It is a basic law for the cheat and the deceiver Be able to offer up an excuse that cannot be disproved easily and that makes sense for the situation
Trickle-down Effects
Increasing rapidity of car-trickle-down yester-yearsrsquo top end car innovations eventually migrate through the models becoming standard options in lower-priced vehicles
This pattern of innovation holds true in virtually every field including cyber- security
Malware as a Service (MaaS) ndash moving from the heavily funded specialist cyber experts down into the mass market
MaaS now commonly available at very low cost through the darknet and sites such TOR I2p
Honeypots amp TokensEvolution Mimicry
Honeypots
Venus Flytrap in Action (triggered honeypot)
Trojan Horse (passive honeypot) Greeks built used to enter the city of Troy and win the 10 year Trojan war - 4th Century story
Cartography A trap street (passive honeypot) is a fictitious entry in the form of a misrepresented street for the purpose of trapping potential copyright violators
Tempting - moneypot
All minehelliphelliphellip
Ooops
Honeypot Principle
Focus on detecting threats Here wersquod like to know immediately someone has broken into the network
and in places they shouldnrsquot be
Ensure the honeypot looks appealing to the attacker The honeypot must look legitimate amp enticing
In this attack scenario the defender has particular advantage Once attackers initially land inside your internal network theyrsquore at a
disadvantage They donrsquot know the lay of the land and they need to explore it (reconnaissance) while remaining hidden
Defence through Deception
Deception is a highly effective solution for protecting environments used to confuse delay and redirect the enemy
Lured to the Canary Honeypot the attacker will be tricked into engaging with that device and believe they are being successful in their attack
Canary ndash Today and Tomorrow
Canary - great for remote sites but what about our VM data centres
What about integration with established enterprise monitoring frameworks such as Openview CA or Microsoft SCOM
Console management limit on the number of deployed Canaries
Are ldquoCanarytokensrdquo part of tomorrowrsquos planning
Identification amp Authorisation
A new way forward
TokensTokens - In general a token is an object that represents something else such as another object (either physical or virtual) or an abstract concept In computer systems there are a number of types of tokens both hardware and software
In human terms a token of trust can exist between two parties with such levels of trust reinforced through personal introductions with other partiesA token generation amp management platform designed specifically for high security multi-services in public and private clouds
greatly enhances trustworthy information handling
Identification with Passwords Any directory service or managementplatform holding passwords becomes atarget by the attacker for credentialsrsquo theft
Passwords are fundamentally flawed Often easy to guess Are reused across different services Are written down or stored or shared Can be intercepted Are expensive to maintain 29 of all cybercrime is from stolen
passwords
Identification WITHOUT Password
The Problem The password has outlived itrsquos usefulness
Secure Cloudlinkrsquos Response Patented and highly secure tokenised message management
solution assures password redundancy User credentials are not transmitted stored or replicated Secure digital services - a snap for the user
Randomised encrypted key generation ndashno consistent key to be stolen
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
Solving the big lsquoBoard reporting problemrsquo in cyberJon Hawes Security Intelligence Strategist Panaseer
Cyber security insuranceGraeme Newman Chief Innovation OfficerCFC
Tackling the insider threatGarath Lauder Director CyberseerTed Plumis Vice President of Channels and Corporate Development Exabeam
Social engineering the art of the conRob Shapland Penetration Testing Team Manager First Base Technologies
Cryptography Basics Dr David Weston Lecturer in Computer Science and Information SystemsBirkbeck University of London
Tokens Honeypots Idenitfication Authorisation Services Ray Dalgarno Director CYBERCAST
Trust with ldquoTHISrdquo
TokensHoneypots
Identification Authorisation ServicesThe Confluence
Agenda
Warfare
Attack Surface Attribution Residency Deniability
Honeypots amp Tokens
Identification and Authorisation
Conclusion
WarfareSecurity through obscurity ndash
the reason the armed forces adopt camouflage
NHS Cyber Attacks ndash The Telegraph 1st Nov 2016
ldquohelliphacking is no longer the stuff of spy thrillers and action movies but a clear and present threathelliprdquo
ldquohellipBen Gummer minister for Cabinet says that large quantities of sensitive data held by the NHS and the Government is being targeted by hackershelliprdquo
ldquohellipMinisters will also unveil a Cyber Security Research Institute a virtual collection of UK universities which will work towards making passwords obsoletehelliprdquo
Cyber Fraud
ldquohellipOnline fraudsters stole pound109bn in the UK last yearhelliprdquo
ldquohellip39 (of respondents) questioned by ldquoGet Safe Onlinerdquo said they were a victim of cybercrime but did not report ithelliprdquo
ldquohellip53 received phishing messageshelliprdquo
Extract from The Telegraph 20th October 2016
Cyber Crime is a War ZoneldquoRouse him and learn the principle of his activity or inactivity Force him to reveal himself so as to find out his vulnerable spotsrdquoldquoIf you know the enemy and know yourself you need not fear the results of a hundred battlesrdquo
- Sun Tzu Military General Strategist amp Philosopher 5th Century BC ChinaDeception is a powerful effective but under utilised tool ndash (at least by defenders)
Full range of ldquoeffectsrdquo on adversaries possible through deception
Effects Attacker Defender
Fail to observe
Prevent the defender from detecting the attack Prevent the attacker from discovering their target
Reveal
Trick the defender into providing access Trick the attacker into revealing their presence
Waste Time
Focus the defenderrsquos attention on the wrong aspects of the incident
Focus the attackerrsquos efforts on the wrong target
Deception Effects - Attacker amp Defender
Operation Mincemeat - 1943
Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
Operation Mincemeat - 1943Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
This was accomplished by persuading the Germans that they had by accident intercepted top secret documents giving details of Allied war plans
Attack Surface Attribution Residency
DeniabilityFrom the living room to the boardroom
Attack Surface
From ordinary consumers to a single-office business through the regulatory bodies to the national and global giants
The environment dictates the approach ndash no ldquoSilver Bulletrdquo
Layered security ndash combining multiple mitigating security controls to cost effectively protect resources amp data
Attack AttributionAt which point in the attack do you realise that you have been hacked
TalkTalk DNC Yahoo
There are very few ldquosmoking gunsrdquo visible
Attacks that often begin with broadly targeted phishing that can introduce amp run new binaries on victims networks amp that connect to random internal hosts using exfiltrated credentials can still remain hidden for a year
Examples of Global IT Vendorsrsquo Vulnerabilities
Microsoft Microsoft August (2016) Patch Tuesday included five updates rated
critical out of a total of nine bringing the number of patches for the year-to-date at 103
SAP There are vulnerabilities in almost every SAP module CRM EP and SRM
are leaders among them ERPScan SAP Cyber Threat Report2016
Oracle MICROS (and others) In total more than one million PoS terminals around the world could be
at risk should the attacks prove to have been deeper than the companies are currently publicly admitting
Computing Aug
Dwell TimeResidency
Mandiant reported that attackers on average lurked on a network for 205 days before being discoveredsup1
Microsoft recently reported they place the number at more than 200 days to detect a security breach and 80 days to contain itsup2
1 httpswww2fireeyecomrsfireyeimagesrpt-m-trends-2015pdf2 httpsblogswindowscomwindowsexperience20160301announcing-windows-defender-advanced-threat-protection
Plausible Deniability amp Malware Intrusion
Plausible deniability refers to circumstances where a denial of responsibility or knowledge of wrong doing cannot be proved as true or untrue due to a lack of evidence proving the allegation
It is a basic law for the cheat and the deceiver Be able to offer up an excuse that cannot be disproved easily and that makes sense for the situation
Trickle-down Effects
Increasing rapidity of car-trickle-down yester-yearsrsquo top end car innovations eventually migrate through the models becoming standard options in lower-priced vehicles
This pattern of innovation holds true in virtually every field including cyber- security
Malware as a Service (MaaS) ndash moving from the heavily funded specialist cyber experts down into the mass market
MaaS now commonly available at very low cost through the darknet and sites such TOR I2p
Honeypots amp TokensEvolution Mimicry
Honeypots
Venus Flytrap in Action (triggered honeypot)
Trojan Horse (passive honeypot) Greeks built used to enter the city of Troy and win the 10 year Trojan war - 4th Century story
Cartography A trap street (passive honeypot) is a fictitious entry in the form of a misrepresented street for the purpose of trapping potential copyright violators
Tempting - moneypot
All minehelliphelliphellip
Ooops
Honeypot Principle
Focus on detecting threats Here wersquod like to know immediately someone has broken into the network
and in places they shouldnrsquot be
Ensure the honeypot looks appealing to the attacker The honeypot must look legitimate amp enticing
In this attack scenario the defender has particular advantage Once attackers initially land inside your internal network theyrsquore at a
disadvantage They donrsquot know the lay of the land and they need to explore it (reconnaissance) while remaining hidden
Defence through Deception
Deception is a highly effective solution for protecting environments used to confuse delay and redirect the enemy
Lured to the Canary Honeypot the attacker will be tricked into engaging with that device and believe they are being successful in their attack
Canary ndash Today and Tomorrow
Canary - great for remote sites but what about our VM data centres
What about integration with established enterprise monitoring frameworks such as Openview CA or Microsoft SCOM
Console management limit on the number of deployed Canaries
Are ldquoCanarytokensrdquo part of tomorrowrsquos planning
Identification amp Authorisation
A new way forward
TokensTokens - In general a token is an object that represents something else such as another object (either physical or virtual) or an abstract concept In computer systems there are a number of types of tokens both hardware and software
In human terms a token of trust can exist between two parties with such levels of trust reinforced through personal introductions with other partiesA token generation amp management platform designed specifically for high security multi-services in public and private clouds
greatly enhances trustworthy information handling
Identification with Passwords Any directory service or managementplatform holding passwords becomes atarget by the attacker for credentialsrsquo theft
Passwords are fundamentally flawed Often easy to guess Are reused across different services Are written down or stored or shared Can be intercepted Are expensive to maintain 29 of all cybercrime is from stolen
passwords
Identification WITHOUT Password
The Problem The password has outlived itrsquos usefulness
Secure Cloudlinkrsquos Response Patented and highly secure tokenised message management
solution assures password redundancy User credentials are not transmitted stored or replicated Secure digital services - a snap for the user
Randomised encrypted key generation ndashno consistent key to be stolen
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
Cyber security insuranceGraeme Newman Chief Innovation OfficerCFC
Tackling the insider threatGarath Lauder Director CyberseerTed Plumis Vice President of Channels and Corporate Development Exabeam
Social engineering the art of the conRob Shapland Penetration Testing Team Manager First Base Technologies
Cryptography Basics Dr David Weston Lecturer in Computer Science and Information SystemsBirkbeck University of London
Tokens Honeypots Idenitfication Authorisation Services Ray Dalgarno Director CYBERCAST
Trust with ldquoTHISrdquo
TokensHoneypots
Identification Authorisation ServicesThe Confluence
Agenda
Warfare
Attack Surface Attribution Residency Deniability
Honeypots amp Tokens
Identification and Authorisation
Conclusion
WarfareSecurity through obscurity ndash
the reason the armed forces adopt camouflage
NHS Cyber Attacks ndash The Telegraph 1st Nov 2016
ldquohelliphacking is no longer the stuff of spy thrillers and action movies but a clear and present threathelliprdquo
ldquohellipBen Gummer minister for Cabinet says that large quantities of sensitive data held by the NHS and the Government is being targeted by hackershelliprdquo
ldquohellipMinisters will also unveil a Cyber Security Research Institute a virtual collection of UK universities which will work towards making passwords obsoletehelliprdquo
Cyber Fraud
ldquohellipOnline fraudsters stole pound109bn in the UK last yearhelliprdquo
ldquohellip39 (of respondents) questioned by ldquoGet Safe Onlinerdquo said they were a victim of cybercrime but did not report ithelliprdquo
ldquohellip53 received phishing messageshelliprdquo
Extract from The Telegraph 20th October 2016
Cyber Crime is a War ZoneldquoRouse him and learn the principle of his activity or inactivity Force him to reveal himself so as to find out his vulnerable spotsrdquoldquoIf you know the enemy and know yourself you need not fear the results of a hundred battlesrdquo
- Sun Tzu Military General Strategist amp Philosopher 5th Century BC ChinaDeception is a powerful effective but under utilised tool ndash (at least by defenders)
Full range of ldquoeffectsrdquo on adversaries possible through deception
Effects Attacker Defender
Fail to observe
Prevent the defender from detecting the attack Prevent the attacker from discovering their target
Reveal
Trick the defender into providing access Trick the attacker into revealing their presence
Waste Time
Focus the defenderrsquos attention on the wrong aspects of the incident
Focus the attackerrsquos efforts on the wrong target
Deception Effects - Attacker amp Defender
Operation Mincemeat - 1943
Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
Operation Mincemeat - 1943Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
This was accomplished by persuading the Germans that they had by accident intercepted top secret documents giving details of Allied war plans
Attack Surface Attribution Residency
DeniabilityFrom the living room to the boardroom
Attack Surface
From ordinary consumers to a single-office business through the regulatory bodies to the national and global giants
The environment dictates the approach ndash no ldquoSilver Bulletrdquo
Layered security ndash combining multiple mitigating security controls to cost effectively protect resources amp data
Attack AttributionAt which point in the attack do you realise that you have been hacked
TalkTalk DNC Yahoo
There are very few ldquosmoking gunsrdquo visible
Attacks that often begin with broadly targeted phishing that can introduce amp run new binaries on victims networks amp that connect to random internal hosts using exfiltrated credentials can still remain hidden for a year
Examples of Global IT Vendorsrsquo Vulnerabilities
Microsoft Microsoft August (2016) Patch Tuesday included five updates rated
critical out of a total of nine bringing the number of patches for the year-to-date at 103
SAP There are vulnerabilities in almost every SAP module CRM EP and SRM
are leaders among them ERPScan SAP Cyber Threat Report2016
Oracle MICROS (and others) In total more than one million PoS terminals around the world could be
at risk should the attacks prove to have been deeper than the companies are currently publicly admitting
Computing Aug
Dwell TimeResidency
Mandiant reported that attackers on average lurked on a network for 205 days before being discoveredsup1
Microsoft recently reported they place the number at more than 200 days to detect a security breach and 80 days to contain itsup2
1 httpswww2fireeyecomrsfireyeimagesrpt-m-trends-2015pdf2 httpsblogswindowscomwindowsexperience20160301announcing-windows-defender-advanced-threat-protection
Plausible Deniability amp Malware Intrusion
Plausible deniability refers to circumstances where a denial of responsibility or knowledge of wrong doing cannot be proved as true or untrue due to a lack of evidence proving the allegation
It is a basic law for the cheat and the deceiver Be able to offer up an excuse that cannot be disproved easily and that makes sense for the situation
Trickle-down Effects
Increasing rapidity of car-trickle-down yester-yearsrsquo top end car innovations eventually migrate through the models becoming standard options in lower-priced vehicles
This pattern of innovation holds true in virtually every field including cyber- security
Malware as a Service (MaaS) ndash moving from the heavily funded specialist cyber experts down into the mass market
MaaS now commonly available at very low cost through the darknet and sites such TOR I2p
Honeypots amp TokensEvolution Mimicry
Honeypots
Venus Flytrap in Action (triggered honeypot)
Trojan Horse (passive honeypot) Greeks built used to enter the city of Troy and win the 10 year Trojan war - 4th Century story
Cartography A trap street (passive honeypot) is a fictitious entry in the form of a misrepresented street for the purpose of trapping potential copyright violators
Tempting - moneypot
All minehelliphelliphellip
Ooops
Honeypot Principle
Focus on detecting threats Here wersquod like to know immediately someone has broken into the network
and in places they shouldnrsquot be
Ensure the honeypot looks appealing to the attacker The honeypot must look legitimate amp enticing
In this attack scenario the defender has particular advantage Once attackers initially land inside your internal network theyrsquore at a
disadvantage They donrsquot know the lay of the land and they need to explore it (reconnaissance) while remaining hidden
Defence through Deception
Deception is a highly effective solution for protecting environments used to confuse delay and redirect the enemy
Lured to the Canary Honeypot the attacker will be tricked into engaging with that device and believe they are being successful in their attack
Canary ndash Today and Tomorrow
Canary - great for remote sites but what about our VM data centres
What about integration with established enterprise monitoring frameworks such as Openview CA or Microsoft SCOM
Console management limit on the number of deployed Canaries
Are ldquoCanarytokensrdquo part of tomorrowrsquos planning
Identification amp Authorisation
A new way forward
TokensTokens - In general a token is an object that represents something else such as another object (either physical or virtual) or an abstract concept In computer systems there are a number of types of tokens both hardware and software
In human terms a token of trust can exist between two parties with such levels of trust reinforced through personal introductions with other partiesA token generation amp management platform designed specifically for high security multi-services in public and private clouds
greatly enhances trustworthy information handling
Identification with Passwords Any directory service or managementplatform holding passwords becomes atarget by the attacker for credentialsrsquo theft
Passwords are fundamentally flawed Often easy to guess Are reused across different services Are written down or stored or shared Can be intercepted Are expensive to maintain 29 of all cybercrime is from stolen
passwords
Identification WITHOUT Password
The Problem The password has outlived itrsquos usefulness
Secure Cloudlinkrsquos Response Patented and highly secure tokenised message management
solution assures password redundancy User credentials are not transmitted stored or replicated Secure digital services - a snap for the user
Randomised encrypted key generation ndashno consistent key to be stolen
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
Tackling the insider threatGarath Lauder Director CyberseerTed Plumis Vice President of Channels and Corporate Development Exabeam
Social engineering the art of the conRob Shapland Penetration Testing Team Manager First Base Technologies
Cryptography Basics Dr David Weston Lecturer in Computer Science and Information SystemsBirkbeck University of London
Tokens Honeypots Idenitfication Authorisation Services Ray Dalgarno Director CYBERCAST
Trust with ldquoTHISrdquo
TokensHoneypots
Identification Authorisation ServicesThe Confluence
Agenda
Warfare
Attack Surface Attribution Residency Deniability
Honeypots amp Tokens
Identification and Authorisation
Conclusion
WarfareSecurity through obscurity ndash
the reason the armed forces adopt camouflage
NHS Cyber Attacks ndash The Telegraph 1st Nov 2016
ldquohelliphacking is no longer the stuff of spy thrillers and action movies but a clear and present threathelliprdquo
ldquohellipBen Gummer minister for Cabinet says that large quantities of sensitive data held by the NHS and the Government is being targeted by hackershelliprdquo
ldquohellipMinisters will also unveil a Cyber Security Research Institute a virtual collection of UK universities which will work towards making passwords obsoletehelliprdquo
Cyber Fraud
ldquohellipOnline fraudsters stole pound109bn in the UK last yearhelliprdquo
ldquohellip39 (of respondents) questioned by ldquoGet Safe Onlinerdquo said they were a victim of cybercrime but did not report ithelliprdquo
ldquohellip53 received phishing messageshelliprdquo
Extract from The Telegraph 20th October 2016
Cyber Crime is a War ZoneldquoRouse him and learn the principle of his activity or inactivity Force him to reveal himself so as to find out his vulnerable spotsrdquoldquoIf you know the enemy and know yourself you need not fear the results of a hundred battlesrdquo
- Sun Tzu Military General Strategist amp Philosopher 5th Century BC ChinaDeception is a powerful effective but under utilised tool ndash (at least by defenders)
Full range of ldquoeffectsrdquo on adversaries possible through deception
Effects Attacker Defender
Fail to observe
Prevent the defender from detecting the attack Prevent the attacker from discovering their target
Reveal
Trick the defender into providing access Trick the attacker into revealing their presence
Waste Time
Focus the defenderrsquos attention on the wrong aspects of the incident
Focus the attackerrsquos efforts on the wrong target
Deception Effects - Attacker amp Defender
Operation Mincemeat - 1943
Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
Operation Mincemeat - 1943Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
This was accomplished by persuading the Germans that they had by accident intercepted top secret documents giving details of Allied war plans
Attack Surface Attribution Residency
DeniabilityFrom the living room to the boardroom
Attack Surface
From ordinary consumers to a single-office business through the regulatory bodies to the national and global giants
The environment dictates the approach ndash no ldquoSilver Bulletrdquo
Layered security ndash combining multiple mitigating security controls to cost effectively protect resources amp data
Attack AttributionAt which point in the attack do you realise that you have been hacked
TalkTalk DNC Yahoo
There are very few ldquosmoking gunsrdquo visible
Attacks that often begin with broadly targeted phishing that can introduce amp run new binaries on victims networks amp that connect to random internal hosts using exfiltrated credentials can still remain hidden for a year
Examples of Global IT Vendorsrsquo Vulnerabilities
Microsoft Microsoft August (2016) Patch Tuesday included five updates rated
critical out of a total of nine bringing the number of patches for the year-to-date at 103
SAP There are vulnerabilities in almost every SAP module CRM EP and SRM
are leaders among them ERPScan SAP Cyber Threat Report2016
Oracle MICROS (and others) In total more than one million PoS terminals around the world could be
at risk should the attacks prove to have been deeper than the companies are currently publicly admitting
Computing Aug
Dwell TimeResidency
Mandiant reported that attackers on average lurked on a network for 205 days before being discoveredsup1
Microsoft recently reported they place the number at more than 200 days to detect a security breach and 80 days to contain itsup2
1 httpswww2fireeyecomrsfireyeimagesrpt-m-trends-2015pdf2 httpsblogswindowscomwindowsexperience20160301announcing-windows-defender-advanced-threat-protection
Plausible Deniability amp Malware Intrusion
Plausible deniability refers to circumstances where a denial of responsibility or knowledge of wrong doing cannot be proved as true or untrue due to a lack of evidence proving the allegation
It is a basic law for the cheat and the deceiver Be able to offer up an excuse that cannot be disproved easily and that makes sense for the situation
Trickle-down Effects
Increasing rapidity of car-trickle-down yester-yearsrsquo top end car innovations eventually migrate through the models becoming standard options in lower-priced vehicles
This pattern of innovation holds true in virtually every field including cyber- security
Malware as a Service (MaaS) ndash moving from the heavily funded specialist cyber experts down into the mass market
MaaS now commonly available at very low cost through the darknet and sites such TOR I2p
Honeypots amp TokensEvolution Mimicry
Honeypots
Venus Flytrap in Action (triggered honeypot)
Trojan Horse (passive honeypot) Greeks built used to enter the city of Troy and win the 10 year Trojan war - 4th Century story
Cartography A trap street (passive honeypot) is a fictitious entry in the form of a misrepresented street for the purpose of trapping potential copyright violators
Tempting - moneypot
All minehelliphelliphellip
Ooops
Honeypot Principle
Focus on detecting threats Here wersquod like to know immediately someone has broken into the network
and in places they shouldnrsquot be
Ensure the honeypot looks appealing to the attacker The honeypot must look legitimate amp enticing
In this attack scenario the defender has particular advantage Once attackers initially land inside your internal network theyrsquore at a
disadvantage They donrsquot know the lay of the land and they need to explore it (reconnaissance) while remaining hidden
Defence through Deception
Deception is a highly effective solution for protecting environments used to confuse delay and redirect the enemy
Lured to the Canary Honeypot the attacker will be tricked into engaging with that device and believe they are being successful in their attack
Canary ndash Today and Tomorrow
Canary - great for remote sites but what about our VM data centres
What about integration with established enterprise monitoring frameworks such as Openview CA or Microsoft SCOM
Console management limit on the number of deployed Canaries
Are ldquoCanarytokensrdquo part of tomorrowrsquos planning
Identification amp Authorisation
A new way forward
TokensTokens - In general a token is an object that represents something else such as another object (either physical or virtual) or an abstract concept In computer systems there are a number of types of tokens both hardware and software
In human terms a token of trust can exist between two parties with such levels of trust reinforced through personal introductions with other partiesA token generation amp management platform designed specifically for high security multi-services in public and private clouds
greatly enhances trustworthy information handling
Identification with Passwords Any directory service or managementplatform holding passwords becomes atarget by the attacker for credentialsrsquo theft
Passwords are fundamentally flawed Often easy to guess Are reused across different services Are written down or stored or shared Can be intercepted Are expensive to maintain 29 of all cybercrime is from stolen
passwords
Identification WITHOUT Password
The Problem The password has outlived itrsquos usefulness
Secure Cloudlinkrsquos Response Patented and highly secure tokenised message management
solution assures password redundancy User credentials are not transmitted stored or replicated Secure digital services - a snap for the user
Randomised encrypted key generation ndashno consistent key to be stolen
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
Social engineering the art of the conRob Shapland Penetration Testing Team Manager First Base Technologies
Cryptography Basics Dr David Weston Lecturer in Computer Science and Information SystemsBirkbeck University of London
Tokens Honeypots Idenitfication Authorisation Services Ray Dalgarno Director CYBERCAST
Trust with ldquoTHISrdquo
TokensHoneypots
Identification Authorisation ServicesThe Confluence
Agenda
Warfare
Attack Surface Attribution Residency Deniability
Honeypots amp Tokens
Identification and Authorisation
Conclusion
WarfareSecurity through obscurity ndash
the reason the armed forces adopt camouflage
NHS Cyber Attacks ndash The Telegraph 1st Nov 2016
ldquohelliphacking is no longer the stuff of spy thrillers and action movies but a clear and present threathelliprdquo
ldquohellipBen Gummer minister for Cabinet says that large quantities of sensitive data held by the NHS and the Government is being targeted by hackershelliprdquo
ldquohellipMinisters will also unveil a Cyber Security Research Institute a virtual collection of UK universities which will work towards making passwords obsoletehelliprdquo
Cyber Fraud
ldquohellipOnline fraudsters stole pound109bn in the UK last yearhelliprdquo
ldquohellip39 (of respondents) questioned by ldquoGet Safe Onlinerdquo said they were a victim of cybercrime but did not report ithelliprdquo
ldquohellip53 received phishing messageshelliprdquo
Extract from The Telegraph 20th October 2016
Cyber Crime is a War ZoneldquoRouse him and learn the principle of his activity or inactivity Force him to reveal himself so as to find out his vulnerable spotsrdquoldquoIf you know the enemy and know yourself you need not fear the results of a hundred battlesrdquo
- Sun Tzu Military General Strategist amp Philosopher 5th Century BC ChinaDeception is a powerful effective but under utilised tool ndash (at least by defenders)
Full range of ldquoeffectsrdquo on adversaries possible through deception
Effects Attacker Defender
Fail to observe
Prevent the defender from detecting the attack Prevent the attacker from discovering their target
Reveal
Trick the defender into providing access Trick the attacker into revealing their presence
Waste Time
Focus the defenderrsquos attention on the wrong aspects of the incident
Focus the attackerrsquos efforts on the wrong target
Deception Effects - Attacker amp Defender
Operation Mincemeat - 1943
Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
Operation Mincemeat - 1943Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
This was accomplished by persuading the Germans that they had by accident intercepted top secret documents giving details of Allied war plans
Attack Surface Attribution Residency
DeniabilityFrom the living room to the boardroom
Attack Surface
From ordinary consumers to a single-office business through the regulatory bodies to the national and global giants
The environment dictates the approach ndash no ldquoSilver Bulletrdquo
Layered security ndash combining multiple mitigating security controls to cost effectively protect resources amp data
Attack AttributionAt which point in the attack do you realise that you have been hacked
TalkTalk DNC Yahoo
There are very few ldquosmoking gunsrdquo visible
Attacks that often begin with broadly targeted phishing that can introduce amp run new binaries on victims networks amp that connect to random internal hosts using exfiltrated credentials can still remain hidden for a year
Examples of Global IT Vendorsrsquo Vulnerabilities
Microsoft Microsoft August (2016) Patch Tuesday included five updates rated
critical out of a total of nine bringing the number of patches for the year-to-date at 103
SAP There are vulnerabilities in almost every SAP module CRM EP and SRM
are leaders among them ERPScan SAP Cyber Threat Report2016
Oracle MICROS (and others) In total more than one million PoS terminals around the world could be
at risk should the attacks prove to have been deeper than the companies are currently publicly admitting
Computing Aug
Dwell TimeResidency
Mandiant reported that attackers on average lurked on a network for 205 days before being discoveredsup1
Microsoft recently reported they place the number at more than 200 days to detect a security breach and 80 days to contain itsup2
1 httpswww2fireeyecomrsfireyeimagesrpt-m-trends-2015pdf2 httpsblogswindowscomwindowsexperience20160301announcing-windows-defender-advanced-threat-protection
Plausible Deniability amp Malware Intrusion
Plausible deniability refers to circumstances where a denial of responsibility or knowledge of wrong doing cannot be proved as true or untrue due to a lack of evidence proving the allegation
It is a basic law for the cheat and the deceiver Be able to offer up an excuse that cannot be disproved easily and that makes sense for the situation
Trickle-down Effects
Increasing rapidity of car-trickle-down yester-yearsrsquo top end car innovations eventually migrate through the models becoming standard options in lower-priced vehicles
This pattern of innovation holds true in virtually every field including cyber- security
Malware as a Service (MaaS) ndash moving from the heavily funded specialist cyber experts down into the mass market
MaaS now commonly available at very low cost through the darknet and sites such TOR I2p
Honeypots amp TokensEvolution Mimicry
Honeypots
Venus Flytrap in Action (triggered honeypot)
Trojan Horse (passive honeypot) Greeks built used to enter the city of Troy and win the 10 year Trojan war - 4th Century story
Cartography A trap street (passive honeypot) is a fictitious entry in the form of a misrepresented street for the purpose of trapping potential copyright violators
Tempting - moneypot
All minehelliphelliphellip
Ooops
Honeypot Principle
Focus on detecting threats Here wersquod like to know immediately someone has broken into the network
and in places they shouldnrsquot be
Ensure the honeypot looks appealing to the attacker The honeypot must look legitimate amp enticing
In this attack scenario the defender has particular advantage Once attackers initially land inside your internal network theyrsquore at a
disadvantage They donrsquot know the lay of the land and they need to explore it (reconnaissance) while remaining hidden
Defence through Deception
Deception is a highly effective solution for protecting environments used to confuse delay and redirect the enemy
Lured to the Canary Honeypot the attacker will be tricked into engaging with that device and believe they are being successful in their attack
Canary ndash Today and Tomorrow
Canary - great for remote sites but what about our VM data centres
What about integration with established enterprise monitoring frameworks such as Openview CA or Microsoft SCOM
Console management limit on the number of deployed Canaries
Are ldquoCanarytokensrdquo part of tomorrowrsquos planning
Identification amp Authorisation
A new way forward
TokensTokens - In general a token is an object that represents something else such as another object (either physical or virtual) or an abstract concept In computer systems there are a number of types of tokens both hardware and software
In human terms a token of trust can exist between two parties with such levels of trust reinforced through personal introductions with other partiesA token generation amp management platform designed specifically for high security multi-services in public and private clouds
greatly enhances trustworthy information handling
Identification with Passwords Any directory service or managementplatform holding passwords becomes atarget by the attacker for credentialsrsquo theft
Passwords are fundamentally flawed Often easy to guess Are reused across different services Are written down or stored or shared Can be intercepted Are expensive to maintain 29 of all cybercrime is from stolen
passwords
Identification WITHOUT Password
The Problem The password has outlived itrsquos usefulness
Secure Cloudlinkrsquos Response Patented and highly secure tokenised message management
solution assures password redundancy User credentials are not transmitted stored or replicated Secure digital services - a snap for the user
Randomised encrypted key generation ndashno consistent key to be stolen
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
Cryptography Basics Dr David Weston Lecturer in Computer Science and Information SystemsBirkbeck University of London
Tokens Honeypots Idenitfication Authorisation Services Ray Dalgarno Director CYBERCAST
Trust with ldquoTHISrdquo
TokensHoneypots
Identification Authorisation ServicesThe Confluence
Agenda
Warfare
Attack Surface Attribution Residency Deniability
Honeypots amp Tokens
Identification and Authorisation
Conclusion
WarfareSecurity through obscurity ndash
the reason the armed forces adopt camouflage
NHS Cyber Attacks ndash The Telegraph 1st Nov 2016
ldquohelliphacking is no longer the stuff of spy thrillers and action movies but a clear and present threathelliprdquo
ldquohellipBen Gummer minister for Cabinet says that large quantities of sensitive data held by the NHS and the Government is being targeted by hackershelliprdquo
ldquohellipMinisters will also unveil a Cyber Security Research Institute a virtual collection of UK universities which will work towards making passwords obsoletehelliprdquo
Cyber Fraud
ldquohellipOnline fraudsters stole pound109bn in the UK last yearhelliprdquo
ldquohellip39 (of respondents) questioned by ldquoGet Safe Onlinerdquo said they were a victim of cybercrime but did not report ithelliprdquo
ldquohellip53 received phishing messageshelliprdquo
Extract from The Telegraph 20th October 2016
Cyber Crime is a War ZoneldquoRouse him and learn the principle of his activity or inactivity Force him to reveal himself so as to find out his vulnerable spotsrdquoldquoIf you know the enemy and know yourself you need not fear the results of a hundred battlesrdquo
- Sun Tzu Military General Strategist amp Philosopher 5th Century BC ChinaDeception is a powerful effective but under utilised tool ndash (at least by defenders)
Full range of ldquoeffectsrdquo on adversaries possible through deception
Effects Attacker Defender
Fail to observe
Prevent the defender from detecting the attack Prevent the attacker from discovering their target
Reveal
Trick the defender into providing access Trick the attacker into revealing their presence
Waste Time
Focus the defenderrsquos attention on the wrong aspects of the incident
Focus the attackerrsquos efforts on the wrong target
Deception Effects - Attacker amp Defender
Operation Mincemeat - 1943
Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
Operation Mincemeat - 1943Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
This was accomplished by persuading the Germans that they had by accident intercepted top secret documents giving details of Allied war plans
Attack Surface Attribution Residency
DeniabilityFrom the living room to the boardroom
Attack Surface
From ordinary consumers to a single-office business through the regulatory bodies to the national and global giants
The environment dictates the approach ndash no ldquoSilver Bulletrdquo
Layered security ndash combining multiple mitigating security controls to cost effectively protect resources amp data
Attack AttributionAt which point in the attack do you realise that you have been hacked
TalkTalk DNC Yahoo
There are very few ldquosmoking gunsrdquo visible
Attacks that often begin with broadly targeted phishing that can introduce amp run new binaries on victims networks amp that connect to random internal hosts using exfiltrated credentials can still remain hidden for a year
Examples of Global IT Vendorsrsquo Vulnerabilities
Microsoft Microsoft August (2016) Patch Tuesday included five updates rated
critical out of a total of nine bringing the number of patches for the year-to-date at 103
SAP There are vulnerabilities in almost every SAP module CRM EP and SRM
are leaders among them ERPScan SAP Cyber Threat Report2016
Oracle MICROS (and others) In total more than one million PoS terminals around the world could be
at risk should the attacks prove to have been deeper than the companies are currently publicly admitting
Computing Aug
Dwell TimeResidency
Mandiant reported that attackers on average lurked on a network for 205 days before being discoveredsup1
Microsoft recently reported they place the number at more than 200 days to detect a security breach and 80 days to contain itsup2
1 httpswww2fireeyecomrsfireyeimagesrpt-m-trends-2015pdf2 httpsblogswindowscomwindowsexperience20160301announcing-windows-defender-advanced-threat-protection
Plausible Deniability amp Malware Intrusion
Plausible deniability refers to circumstances where a denial of responsibility or knowledge of wrong doing cannot be proved as true or untrue due to a lack of evidence proving the allegation
It is a basic law for the cheat and the deceiver Be able to offer up an excuse that cannot be disproved easily and that makes sense for the situation
Trickle-down Effects
Increasing rapidity of car-trickle-down yester-yearsrsquo top end car innovations eventually migrate through the models becoming standard options in lower-priced vehicles
This pattern of innovation holds true in virtually every field including cyber- security
Malware as a Service (MaaS) ndash moving from the heavily funded specialist cyber experts down into the mass market
MaaS now commonly available at very low cost through the darknet and sites such TOR I2p
Honeypots amp TokensEvolution Mimicry
Honeypots
Venus Flytrap in Action (triggered honeypot)
Trojan Horse (passive honeypot) Greeks built used to enter the city of Troy and win the 10 year Trojan war - 4th Century story
Cartography A trap street (passive honeypot) is a fictitious entry in the form of a misrepresented street for the purpose of trapping potential copyright violators
Tempting - moneypot
All minehelliphelliphellip
Ooops
Honeypot Principle
Focus on detecting threats Here wersquod like to know immediately someone has broken into the network
and in places they shouldnrsquot be
Ensure the honeypot looks appealing to the attacker The honeypot must look legitimate amp enticing
In this attack scenario the defender has particular advantage Once attackers initially land inside your internal network theyrsquore at a
disadvantage They donrsquot know the lay of the land and they need to explore it (reconnaissance) while remaining hidden
Defence through Deception
Deception is a highly effective solution for protecting environments used to confuse delay and redirect the enemy
Lured to the Canary Honeypot the attacker will be tricked into engaging with that device and believe they are being successful in their attack
Canary ndash Today and Tomorrow
Canary - great for remote sites but what about our VM data centres
What about integration with established enterprise monitoring frameworks such as Openview CA or Microsoft SCOM
Console management limit on the number of deployed Canaries
Are ldquoCanarytokensrdquo part of tomorrowrsquos planning
Identification amp Authorisation
A new way forward
TokensTokens - In general a token is an object that represents something else such as another object (either physical or virtual) or an abstract concept In computer systems there are a number of types of tokens both hardware and software
In human terms a token of trust can exist between two parties with such levels of trust reinforced through personal introductions with other partiesA token generation amp management platform designed specifically for high security multi-services in public and private clouds
greatly enhances trustworthy information handling
Identification with Passwords Any directory service or managementplatform holding passwords becomes atarget by the attacker for credentialsrsquo theft
Passwords are fundamentally flawed Often easy to guess Are reused across different services Are written down or stored or shared Can be intercepted Are expensive to maintain 29 of all cybercrime is from stolen
passwords
Identification WITHOUT Password
The Problem The password has outlived itrsquos usefulness
Secure Cloudlinkrsquos Response Patented and highly secure tokenised message management
solution assures password redundancy User credentials are not transmitted stored or replicated Secure digital services - a snap for the user
Randomised encrypted key generation ndashno consistent key to be stolen
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
Tokens Honeypots Idenitfication Authorisation Services Ray Dalgarno Director CYBERCAST
Trust with ldquoTHISrdquo
TokensHoneypots
Identification Authorisation ServicesThe Confluence
Agenda
Warfare
Attack Surface Attribution Residency Deniability
Honeypots amp Tokens
Identification and Authorisation
Conclusion
WarfareSecurity through obscurity ndash
the reason the armed forces adopt camouflage
NHS Cyber Attacks ndash The Telegraph 1st Nov 2016
ldquohelliphacking is no longer the stuff of spy thrillers and action movies but a clear and present threathelliprdquo
ldquohellipBen Gummer minister for Cabinet says that large quantities of sensitive data held by the NHS and the Government is being targeted by hackershelliprdquo
ldquohellipMinisters will also unveil a Cyber Security Research Institute a virtual collection of UK universities which will work towards making passwords obsoletehelliprdquo
Cyber Fraud
ldquohellipOnline fraudsters stole pound109bn in the UK last yearhelliprdquo
ldquohellip39 (of respondents) questioned by ldquoGet Safe Onlinerdquo said they were a victim of cybercrime but did not report ithelliprdquo
ldquohellip53 received phishing messageshelliprdquo
Extract from The Telegraph 20th October 2016
Cyber Crime is a War ZoneldquoRouse him and learn the principle of his activity or inactivity Force him to reveal himself so as to find out his vulnerable spotsrdquoldquoIf you know the enemy and know yourself you need not fear the results of a hundred battlesrdquo
- Sun Tzu Military General Strategist amp Philosopher 5th Century BC ChinaDeception is a powerful effective but under utilised tool ndash (at least by defenders)
Full range of ldquoeffectsrdquo on adversaries possible through deception
Effects Attacker Defender
Fail to observe
Prevent the defender from detecting the attack Prevent the attacker from discovering their target
Reveal
Trick the defender into providing access Trick the attacker into revealing their presence
Waste Time
Focus the defenderrsquos attention on the wrong aspects of the incident
Focus the attackerrsquos efforts on the wrong target
Deception Effects - Attacker amp Defender
Operation Mincemeat - 1943
Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
Operation Mincemeat - 1943Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
This was accomplished by persuading the Germans that they had by accident intercepted top secret documents giving details of Allied war plans
Attack Surface Attribution Residency
DeniabilityFrom the living room to the boardroom
Attack Surface
From ordinary consumers to a single-office business through the regulatory bodies to the national and global giants
The environment dictates the approach ndash no ldquoSilver Bulletrdquo
Layered security ndash combining multiple mitigating security controls to cost effectively protect resources amp data
Attack AttributionAt which point in the attack do you realise that you have been hacked
TalkTalk DNC Yahoo
There are very few ldquosmoking gunsrdquo visible
Attacks that often begin with broadly targeted phishing that can introduce amp run new binaries on victims networks amp that connect to random internal hosts using exfiltrated credentials can still remain hidden for a year
Examples of Global IT Vendorsrsquo Vulnerabilities
Microsoft Microsoft August (2016) Patch Tuesday included five updates rated
critical out of a total of nine bringing the number of patches for the year-to-date at 103
SAP There are vulnerabilities in almost every SAP module CRM EP and SRM
are leaders among them ERPScan SAP Cyber Threat Report2016
Oracle MICROS (and others) In total more than one million PoS terminals around the world could be
at risk should the attacks prove to have been deeper than the companies are currently publicly admitting
Computing Aug
Dwell TimeResidency
Mandiant reported that attackers on average lurked on a network for 205 days before being discoveredsup1
Microsoft recently reported they place the number at more than 200 days to detect a security breach and 80 days to contain itsup2
1 httpswww2fireeyecomrsfireyeimagesrpt-m-trends-2015pdf2 httpsblogswindowscomwindowsexperience20160301announcing-windows-defender-advanced-threat-protection
Plausible Deniability amp Malware Intrusion
Plausible deniability refers to circumstances where a denial of responsibility or knowledge of wrong doing cannot be proved as true or untrue due to a lack of evidence proving the allegation
It is a basic law for the cheat and the deceiver Be able to offer up an excuse that cannot be disproved easily and that makes sense for the situation
Trickle-down Effects
Increasing rapidity of car-trickle-down yester-yearsrsquo top end car innovations eventually migrate through the models becoming standard options in lower-priced vehicles
This pattern of innovation holds true in virtually every field including cyber- security
Malware as a Service (MaaS) ndash moving from the heavily funded specialist cyber experts down into the mass market
MaaS now commonly available at very low cost through the darknet and sites such TOR I2p
Honeypots amp TokensEvolution Mimicry
Honeypots
Venus Flytrap in Action (triggered honeypot)
Trojan Horse (passive honeypot) Greeks built used to enter the city of Troy and win the 10 year Trojan war - 4th Century story
Cartography A trap street (passive honeypot) is a fictitious entry in the form of a misrepresented street for the purpose of trapping potential copyright violators
Tempting - moneypot
All minehelliphelliphellip
Ooops
Honeypot Principle
Focus on detecting threats Here wersquod like to know immediately someone has broken into the network
and in places they shouldnrsquot be
Ensure the honeypot looks appealing to the attacker The honeypot must look legitimate amp enticing
In this attack scenario the defender has particular advantage Once attackers initially land inside your internal network theyrsquore at a
disadvantage They donrsquot know the lay of the land and they need to explore it (reconnaissance) while remaining hidden
Defence through Deception
Deception is a highly effective solution for protecting environments used to confuse delay and redirect the enemy
Lured to the Canary Honeypot the attacker will be tricked into engaging with that device and believe they are being successful in their attack
Canary ndash Today and Tomorrow
Canary - great for remote sites but what about our VM data centres
What about integration with established enterprise monitoring frameworks such as Openview CA or Microsoft SCOM
Console management limit on the number of deployed Canaries
Are ldquoCanarytokensrdquo part of tomorrowrsquos planning
Identification amp Authorisation
A new way forward
TokensTokens - In general a token is an object that represents something else such as another object (either physical or virtual) or an abstract concept In computer systems there are a number of types of tokens both hardware and software
In human terms a token of trust can exist between two parties with such levels of trust reinforced through personal introductions with other partiesA token generation amp management platform designed specifically for high security multi-services in public and private clouds
greatly enhances trustworthy information handling
Identification with Passwords Any directory service or managementplatform holding passwords becomes atarget by the attacker for credentialsrsquo theft
Passwords are fundamentally flawed Often easy to guess Are reused across different services Are written down or stored or shared Can be intercepted Are expensive to maintain 29 of all cybercrime is from stolen
passwords
Identification WITHOUT Password
The Problem The password has outlived itrsquos usefulness
Secure Cloudlinkrsquos Response Patented and highly secure tokenised message management
solution assures password redundancy User credentials are not transmitted stored or replicated Secure digital services - a snap for the user
Randomised encrypted key generation ndashno consistent key to be stolen
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
Trust with ldquoTHISrdquo
TokensHoneypots
Identification Authorisation ServicesThe Confluence
Agenda
Warfare
Attack Surface Attribution Residency Deniability
Honeypots amp Tokens
Identification and Authorisation
Conclusion
WarfareSecurity through obscurity ndash
the reason the armed forces adopt camouflage
NHS Cyber Attacks ndash The Telegraph 1st Nov 2016
ldquohelliphacking is no longer the stuff of spy thrillers and action movies but a clear and present threathelliprdquo
ldquohellipBen Gummer minister for Cabinet says that large quantities of sensitive data held by the NHS and the Government is being targeted by hackershelliprdquo
ldquohellipMinisters will also unveil a Cyber Security Research Institute a virtual collection of UK universities which will work towards making passwords obsoletehelliprdquo
Cyber Fraud
ldquohellipOnline fraudsters stole pound109bn in the UK last yearhelliprdquo
ldquohellip39 (of respondents) questioned by ldquoGet Safe Onlinerdquo said they were a victim of cybercrime but did not report ithelliprdquo
ldquohellip53 received phishing messageshelliprdquo
Extract from The Telegraph 20th October 2016
Cyber Crime is a War ZoneldquoRouse him and learn the principle of his activity or inactivity Force him to reveal himself so as to find out his vulnerable spotsrdquoldquoIf you know the enemy and know yourself you need not fear the results of a hundred battlesrdquo
- Sun Tzu Military General Strategist amp Philosopher 5th Century BC ChinaDeception is a powerful effective but under utilised tool ndash (at least by defenders)
Full range of ldquoeffectsrdquo on adversaries possible through deception
Effects Attacker Defender
Fail to observe
Prevent the defender from detecting the attack Prevent the attacker from discovering their target
Reveal
Trick the defender into providing access Trick the attacker into revealing their presence
Waste Time
Focus the defenderrsquos attention on the wrong aspects of the incident
Focus the attackerrsquos efforts on the wrong target
Deception Effects - Attacker amp Defender
Operation Mincemeat - 1943
Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
Operation Mincemeat - 1943Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
This was accomplished by persuading the Germans that they had by accident intercepted top secret documents giving details of Allied war plans
Attack Surface Attribution Residency
DeniabilityFrom the living room to the boardroom
Attack Surface
From ordinary consumers to a single-office business through the regulatory bodies to the national and global giants
The environment dictates the approach ndash no ldquoSilver Bulletrdquo
Layered security ndash combining multiple mitigating security controls to cost effectively protect resources amp data
Attack AttributionAt which point in the attack do you realise that you have been hacked
TalkTalk DNC Yahoo
There are very few ldquosmoking gunsrdquo visible
Attacks that often begin with broadly targeted phishing that can introduce amp run new binaries on victims networks amp that connect to random internal hosts using exfiltrated credentials can still remain hidden for a year
Examples of Global IT Vendorsrsquo Vulnerabilities
Microsoft Microsoft August (2016) Patch Tuesday included five updates rated
critical out of a total of nine bringing the number of patches for the year-to-date at 103
SAP There are vulnerabilities in almost every SAP module CRM EP and SRM
are leaders among them ERPScan SAP Cyber Threat Report2016
Oracle MICROS (and others) In total more than one million PoS terminals around the world could be
at risk should the attacks prove to have been deeper than the companies are currently publicly admitting
Computing Aug
Dwell TimeResidency
Mandiant reported that attackers on average lurked on a network for 205 days before being discoveredsup1
Microsoft recently reported they place the number at more than 200 days to detect a security breach and 80 days to contain itsup2
1 httpswww2fireeyecomrsfireyeimagesrpt-m-trends-2015pdf2 httpsblogswindowscomwindowsexperience20160301announcing-windows-defender-advanced-threat-protection
Plausible Deniability amp Malware Intrusion
Plausible deniability refers to circumstances where a denial of responsibility or knowledge of wrong doing cannot be proved as true or untrue due to a lack of evidence proving the allegation
It is a basic law for the cheat and the deceiver Be able to offer up an excuse that cannot be disproved easily and that makes sense for the situation
Trickle-down Effects
Increasing rapidity of car-trickle-down yester-yearsrsquo top end car innovations eventually migrate through the models becoming standard options in lower-priced vehicles
This pattern of innovation holds true in virtually every field including cyber- security
Malware as a Service (MaaS) ndash moving from the heavily funded specialist cyber experts down into the mass market
MaaS now commonly available at very low cost through the darknet and sites such TOR I2p
Honeypots amp TokensEvolution Mimicry
Honeypots
Venus Flytrap in Action (triggered honeypot)
Trojan Horse (passive honeypot) Greeks built used to enter the city of Troy and win the 10 year Trojan war - 4th Century story
Cartography A trap street (passive honeypot) is a fictitious entry in the form of a misrepresented street for the purpose of trapping potential copyright violators
Tempting - moneypot
All minehelliphelliphellip
Ooops
Honeypot Principle
Focus on detecting threats Here wersquod like to know immediately someone has broken into the network
and in places they shouldnrsquot be
Ensure the honeypot looks appealing to the attacker The honeypot must look legitimate amp enticing
In this attack scenario the defender has particular advantage Once attackers initially land inside your internal network theyrsquore at a
disadvantage They donrsquot know the lay of the land and they need to explore it (reconnaissance) while remaining hidden
Defence through Deception
Deception is a highly effective solution for protecting environments used to confuse delay and redirect the enemy
Lured to the Canary Honeypot the attacker will be tricked into engaging with that device and believe they are being successful in their attack
Canary ndash Today and Tomorrow
Canary - great for remote sites but what about our VM data centres
What about integration with established enterprise monitoring frameworks such as Openview CA or Microsoft SCOM
Console management limit on the number of deployed Canaries
Are ldquoCanarytokensrdquo part of tomorrowrsquos planning
Identification amp Authorisation
A new way forward
TokensTokens - In general a token is an object that represents something else such as another object (either physical or virtual) or an abstract concept In computer systems there are a number of types of tokens both hardware and software
In human terms a token of trust can exist between two parties with such levels of trust reinforced through personal introductions with other partiesA token generation amp management platform designed specifically for high security multi-services in public and private clouds
greatly enhances trustworthy information handling
Identification with Passwords Any directory service or managementplatform holding passwords becomes atarget by the attacker for credentialsrsquo theft
Passwords are fundamentally flawed Often easy to guess Are reused across different services Are written down or stored or shared Can be intercepted Are expensive to maintain 29 of all cybercrime is from stolen
passwords
Identification WITHOUT Password
The Problem The password has outlived itrsquos usefulness
Secure Cloudlinkrsquos Response Patented and highly secure tokenised message management
solution assures password redundancy User credentials are not transmitted stored or replicated Secure digital services - a snap for the user
Randomised encrypted key generation ndashno consistent key to be stolen
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
Agenda
Warfare
Attack Surface Attribution Residency Deniability
Honeypots amp Tokens
Identification and Authorisation
Conclusion
WarfareSecurity through obscurity ndash
the reason the armed forces adopt camouflage
NHS Cyber Attacks ndash The Telegraph 1st Nov 2016
ldquohelliphacking is no longer the stuff of spy thrillers and action movies but a clear and present threathelliprdquo
ldquohellipBen Gummer minister for Cabinet says that large quantities of sensitive data held by the NHS and the Government is being targeted by hackershelliprdquo
ldquohellipMinisters will also unveil a Cyber Security Research Institute a virtual collection of UK universities which will work towards making passwords obsoletehelliprdquo
Cyber Fraud
ldquohellipOnline fraudsters stole pound109bn in the UK last yearhelliprdquo
ldquohellip39 (of respondents) questioned by ldquoGet Safe Onlinerdquo said they were a victim of cybercrime but did not report ithelliprdquo
ldquohellip53 received phishing messageshelliprdquo
Extract from The Telegraph 20th October 2016
Cyber Crime is a War ZoneldquoRouse him and learn the principle of his activity or inactivity Force him to reveal himself so as to find out his vulnerable spotsrdquoldquoIf you know the enemy and know yourself you need not fear the results of a hundred battlesrdquo
- Sun Tzu Military General Strategist amp Philosopher 5th Century BC ChinaDeception is a powerful effective but under utilised tool ndash (at least by defenders)
Full range of ldquoeffectsrdquo on adversaries possible through deception
Effects Attacker Defender
Fail to observe
Prevent the defender from detecting the attack Prevent the attacker from discovering their target
Reveal
Trick the defender into providing access Trick the attacker into revealing their presence
Waste Time
Focus the defenderrsquos attention on the wrong aspects of the incident
Focus the attackerrsquos efforts on the wrong target
Deception Effects - Attacker amp Defender
Operation Mincemeat - 1943
Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
Operation Mincemeat - 1943Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
This was accomplished by persuading the Germans that they had by accident intercepted top secret documents giving details of Allied war plans
Attack Surface Attribution Residency
DeniabilityFrom the living room to the boardroom
Attack Surface
From ordinary consumers to a single-office business through the regulatory bodies to the national and global giants
The environment dictates the approach ndash no ldquoSilver Bulletrdquo
Layered security ndash combining multiple mitigating security controls to cost effectively protect resources amp data
Attack AttributionAt which point in the attack do you realise that you have been hacked
TalkTalk DNC Yahoo
There are very few ldquosmoking gunsrdquo visible
Attacks that often begin with broadly targeted phishing that can introduce amp run new binaries on victims networks amp that connect to random internal hosts using exfiltrated credentials can still remain hidden for a year
Examples of Global IT Vendorsrsquo Vulnerabilities
Microsoft Microsoft August (2016) Patch Tuesday included five updates rated
critical out of a total of nine bringing the number of patches for the year-to-date at 103
SAP There are vulnerabilities in almost every SAP module CRM EP and SRM
are leaders among them ERPScan SAP Cyber Threat Report2016
Oracle MICROS (and others) In total more than one million PoS terminals around the world could be
at risk should the attacks prove to have been deeper than the companies are currently publicly admitting
Computing Aug
Dwell TimeResidency
Mandiant reported that attackers on average lurked on a network for 205 days before being discoveredsup1
Microsoft recently reported they place the number at more than 200 days to detect a security breach and 80 days to contain itsup2
1 httpswww2fireeyecomrsfireyeimagesrpt-m-trends-2015pdf2 httpsblogswindowscomwindowsexperience20160301announcing-windows-defender-advanced-threat-protection
Plausible Deniability amp Malware Intrusion
Plausible deniability refers to circumstances where a denial of responsibility or knowledge of wrong doing cannot be proved as true or untrue due to a lack of evidence proving the allegation
It is a basic law for the cheat and the deceiver Be able to offer up an excuse that cannot be disproved easily and that makes sense for the situation
Trickle-down Effects
Increasing rapidity of car-trickle-down yester-yearsrsquo top end car innovations eventually migrate through the models becoming standard options in lower-priced vehicles
This pattern of innovation holds true in virtually every field including cyber- security
Malware as a Service (MaaS) ndash moving from the heavily funded specialist cyber experts down into the mass market
MaaS now commonly available at very low cost through the darknet and sites such TOR I2p
Honeypots amp TokensEvolution Mimicry
Honeypots
Venus Flytrap in Action (triggered honeypot)
Trojan Horse (passive honeypot) Greeks built used to enter the city of Troy and win the 10 year Trojan war - 4th Century story
Cartography A trap street (passive honeypot) is a fictitious entry in the form of a misrepresented street for the purpose of trapping potential copyright violators
Tempting - moneypot
All minehelliphelliphellip
Ooops
Honeypot Principle
Focus on detecting threats Here wersquod like to know immediately someone has broken into the network
and in places they shouldnrsquot be
Ensure the honeypot looks appealing to the attacker The honeypot must look legitimate amp enticing
In this attack scenario the defender has particular advantage Once attackers initially land inside your internal network theyrsquore at a
disadvantage They donrsquot know the lay of the land and they need to explore it (reconnaissance) while remaining hidden
Defence through Deception
Deception is a highly effective solution for protecting environments used to confuse delay and redirect the enemy
Lured to the Canary Honeypot the attacker will be tricked into engaging with that device and believe they are being successful in their attack
Canary ndash Today and Tomorrow
Canary - great for remote sites but what about our VM data centres
What about integration with established enterprise monitoring frameworks such as Openview CA or Microsoft SCOM
Console management limit on the number of deployed Canaries
Are ldquoCanarytokensrdquo part of tomorrowrsquos planning
Identification amp Authorisation
A new way forward
TokensTokens - In general a token is an object that represents something else such as another object (either physical or virtual) or an abstract concept In computer systems there are a number of types of tokens both hardware and software
In human terms a token of trust can exist between two parties with such levels of trust reinforced through personal introductions with other partiesA token generation amp management platform designed specifically for high security multi-services in public and private clouds
greatly enhances trustworthy information handling
Identification with Passwords Any directory service or managementplatform holding passwords becomes atarget by the attacker for credentialsrsquo theft
Passwords are fundamentally flawed Often easy to guess Are reused across different services Are written down or stored or shared Can be intercepted Are expensive to maintain 29 of all cybercrime is from stolen
passwords
Identification WITHOUT Password
The Problem The password has outlived itrsquos usefulness
Secure Cloudlinkrsquos Response Patented and highly secure tokenised message management
solution assures password redundancy User credentials are not transmitted stored or replicated Secure digital services - a snap for the user
Randomised encrypted key generation ndashno consistent key to be stolen
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
WarfareSecurity through obscurity ndash
the reason the armed forces adopt camouflage
NHS Cyber Attacks ndash The Telegraph 1st Nov 2016
ldquohelliphacking is no longer the stuff of spy thrillers and action movies but a clear and present threathelliprdquo
ldquohellipBen Gummer minister for Cabinet says that large quantities of sensitive data held by the NHS and the Government is being targeted by hackershelliprdquo
ldquohellipMinisters will also unveil a Cyber Security Research Institute a virtual collection of UK universities which will work towards making passwords obsoletehelliprdquo
Cyber Fraud
ldquohellipOnline fraudsters stole pound109bn in the UK last yearhelliprdquo
ldquohellip39 (of respondents) questioned by ldquoGet Safe Onlinerdquo said they were a victim of cybercrime but did not report ithelliprdquo
ldquohellip53 received phishing messageshelliprdquo
Extract from The Telegraph 20th October 2016
Cyber Crime is a War ZoneldquoRouse him and learn the principle of his activity or inactivity Force him to reveal himself so as to find out his vulnerable spotsrdquoldquoIf you know the enemy and know yourself you need not fear the results of a hundred battlesrdquo
- Sun Tzu Military General Strategist amp Philosopher 5th Century BC ChinaDeception is a powerful effective but under utilised tool ndash (at least by defenders)
Full range of ldquoeffectsrdquo on adversaries possible through deception
Effects Attacker Defender
Fail to observe
Prevent the defender from detecting the attack Prevent the attacker from discovering their target
Reveal
Trick the defender into providing access Trick the attacker into revealing their presence
Waste Time
Focus the defenderrsquos attention on the wrong aspects of the incident
Focus the attackerrsquos efforts on the wrong target
Deception Effects - Attacker amp Defender
Operation Mincemeat - 1943
Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
Operation Mincemeat - 1943Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
This was accomplished by persuading the Germans that they had by accident intercepted top secret documents giving details of Allied war plans
Attack Surface Attribution Residency
DeniabilityFrom the living room to the boardroom
Attack Surface
From ordinary consumers to a single-office business through the regulatory bodies to the national and global giants
The environment dictates the approach ndash no ldquoSilver Bulletrdquo
Layered security ndash combining multiple mitigating security controls to cost effectively protect resources amp data
Attack AttributionAt which point in the attack do you realise that you have been hacked
TalkTalk DNC Yahoo
There are very few ldquosmoking gunsrdquo visible
Attacks that often begin with broadly targeted phishing that can introduce amp run new binaries on victims networks amp that connect to random internal hosts using exfiltrated credentials can still remain hidden for a year
Examples of Global IT Vendorsrsquo Vulnerabilities
Microsoft Microsoft August (2016) Patch Tuesday included five updates rated
critical out of a total of nine bringing the number of patches for the year-to-date at 103
SAP There are vulnerabilities in almost every SAP module CRM EP and SRM
are leaders among them ERPScan SAP Cyber Threat Report2016
Oracle MICROS (and others) In total more than one million PoS terminals around the world could be
at risk should the attacks prove to have been deeper than the companies are currently publicly admitting
Computing Aug
Dwell TimeResidency
Mandiant reported that attackers on average lurked on a network for 205 days before being discoveredsup1
Microsoft recently reported they place the number at more than 200 days to detect a security breach and 80 days to contain itsup2
1 httpswww2fireeyecomrsfireyeimagesrpt-m-trends-2015pdf2 httpsblogswindowscomwindowsexperience20160301announcing-windows-defender-advanced-threat-protection
Plausible Deniability amp Malware Intrusion
Plausible deniability refers to circumstances where a denial of responsibility or knowledge of wrong doing cannot be proved as true or untrue due to a lack of evidence proving the allegation
It is a basic law for the cheat and the deceiver Be able to offer up an excuse that cannot be disproved easily and that makes sense for the situation
Trickle-down Effects
Increasing rapidity of car-trickle-down yester-yearsrsquo top end car innovations eventually migrate through the models becoming standard options in lower-priced vehicles
This pattern of innovation holds true in virtually every field including cyber- security
Malware as a Service (MaaS) ndash moving from the heavily funded specialist cyber experts down into the mass market
MaaS now commonly available at very low cost through the darknet and sites such TOR I2p
Honeypots amp TokensEvolution Mimicry
Honeypots
Venus Flytrap in Action (triggered honeypot)
Trojan Horse (passive honeypot) Greeks built used to enter the city of Troy and win the 10 year Trojan war - 4th Century story
Cartography A trap street (passive honeypot) is a fictitious entry in the form of a misrepresented street for the purpose of trapping potential copyright violators
Tempting - moneypot
All minehelliphelliphellip
Ooops
Honeypot Principle
Focus on detecting threats Here wersquod like to know immediately someone has broken into the network
and in places they shouldnrsquot be
Ensure the honeypot looks appealing to the attacker The honeypot must look legitimate amp enticing
In this attack scenario the defender has particular advantage Once attackers initially land inside your internal network theyrsquore at a
disadvantage They donrsquot know the lay of the land and they need to explore it (reconnaissance) while remaining hidden
Defence through Deception
Deception is a highly effective solution for protecting environments used to confuse delay and redirect the enemy
Lured to the Canary Honeypot the attacker will be tricked into engaging with that device and believe they are being successful in their attack
Canary ndash Today and Tomorrow
Canary - great for remote sites but what about our VM data centres
What about integration with established enterprise monitoring frameworks such as Openview CA or Microsoft SCOM
Console management limit on the number of deployed Canaries
Are ldquoCanarytokensrdquo part of tomorrowrsquos planning
Identification amp Authorisation
A new way forward
TokensTokens - In general a token is an object that represents something else such as another object (either physical or virtual) or an abstract concept In computer systems there are a number of types of tokens both hardware and software
In human terms a token of trust can exist between two parties with such levels of trust reinforced through personal introductions with other partiesA token generation amp management platform designed specifically for high security multi-services in public and private clouds
greatly enhances trustworthy information handling
Identification with Passwords Any directory service or managementplatform holding passwords becomes atarget by the attacker for credentialsrsquo theft
Passwords are fundamentally flawed Often easy to guess Are reused across different services Are written down or stored or shared Can be intercepted Are expensive to maintain 29 of all cybercrime is from stolen
passwords
Identification WITHOUT Password
The Problem The password has outlived itrsquos usefulness
Secure Cloudlinkrsquos Response Patented and highly secure tokenised message management
solution assures password redundancy User credentials are not transmitted stored or replicated Secure digital services - a snap for the user
Randomised encrypted key generation ndashno consistent key to be stolen
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
NHS Cyber Attacks ndash The Telegraph 1st Nov 2016
ldquohelliphacking is no longer the stuff of spy thrillers and action movies but a clear and present threathelliprdquo
ldquohellipBen Gummer minister for Cabinet says that large quantities of sensitive data held by the NHS and the Government is being targeted by hackershelliprdquo
ldquohellipMinisters will also unveil a Cyber Security Research Institute a virtual collection of UK universities which will work towards making passwords obsoletehelliprdquo
Cyber Fraud
ldquohellipOnline fraudsters stole pound109bn in the UK last yearhelliprdquo
ldquohellip39 (of respondents) questioned by ldquoGet Safe Onlinerdquo said they were a victim of cybercrime but did not report ithelliprdquo
ldquohellip53 received phishing messageshelliprdquo
Extract from The Telegraph 20th October 2016
Cyber Crime is a War ZoneldquoRouse him and learn the principle of his activity or inactivity Force him to reveal himself so as to find out his vulnerable spotsrdquoldquoIf you know the enemy and know yourself you need not fear the results of a hundred battlesrdquo
- Sun Tzu Military General Strategist amp Philosopher 5th Century BC ChinaDeception is a powerful effective but under utilised tool ndash (at least by defenders)
Full range of ldquoeffectsrdquo on adversaries possible through deception
Effects Attacker Defender
Fail to observe
Prevent the defender from detecting the attack Prevent the attacker from discovering their target
Reveal
Trick the defender into providing access Trick the attacker into revealing their presence
Waste Time
Focus the defenderrsquos attention on the wrong aspects of the incident
Focus the attackerrsquos efforts on the wrong target
Deception Effects - Attacker amp Defender
Operation Mincemeat - 1943
Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
Operation Mincemeat - 1943Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
This was accomplished by persuading the Germans that they had by accident intercepted top secret documents giving details of Allied war plans
Attack Surface Attribution Residency
DeniabilityFrom the living room to the boardroom
Attack Surface
From ordinary consumers to a single-office business through the regulatory bodies to the national and global giants
The environment dictates the approach ndash no ldquoSilver Bulletrdquo
Layered security ndash combining multiple mitigating security controls to cost effectively protect resources amp data
Attack AttributionAt which point in the attack do you realise that you have been hacked
TalkTalk DNC Yahoo
There are very few ldquosmoking gunsrdquo visible
Attacks that often begin with broadly targeted phishing that can introduce amp run new binaries on victims networks amp that connect to random internal hosts using exfiltrated credentials can still remain hidden for a year
Examples of Global IT Vendorsrsquo Vulnerabilities
Microsoft Microsoft August (2016) Patch Tuesday included five updates rated
critical out of a total of nine bringing the number of patches for the year-to-date at 103
SAP There are vulnerabilities in almost every SAP module CRM EP and SRM
are leaders among them ERPScan SAP Cyber Threat Report2016
Oracle MICROS (and others) In total more than one million PoS terminals around the world could be
at risk should the attacks prove to have been deeper than the companies are currently publicly admitting
Computing Aug
Dwell TimeResidency
Mandiant reported that attackers on average lurked on a network for 205 days before being discoveredsup1
Microsoft recently reported they place the number at more than 200 days to detect a security breach and 80 days to contain itsup2
1 httpswww2fireeyecomrsfireyeimagesrpt-m-trends-2015pdf2 httpsblogswindowscomwindowsexperience20160301announcing-windows-defender-advanced-threat-protection
Plausible Deniability amp Malware Intrusion
Plausible deniability refers to circumstances where a denial of responsibility or knowledge of wrong doing cannot be proved as true or untrue due to a lack of evidence proving the allegation
It is a basic law for the cheat and the deceiver Be able to offer up an excuse that cannot be disproved easily and that makes sense for the situation
Trickle-down Effects
Increasing rapidity of car-trickle-down yester-yearsrsquo top end car innovations eventually migrate through the models becoming standard options in lower-priced vehicles
This pattern of innovation holds true in virtually every field including cyber- security
Malware as a Service (MaaS) ndash moving from the heavily funded specialist cyber experts down into the mass market
MaaS now commonly available at very low cost through the darknet and sites such TOR I2p
Honeypots amp TokensEvolution Mimicry
Honeypots
Venus Flytrap in Action (triggered honeypot)
Trojan Horse (passive honeypot) Greeks built used to enter the city of Troy and win the 10 year Trojan war - 4th Century story
Cartography A trap street (passive honeypot) is a fictitious entry in the form of a misrepresented street for the purpose of trapping potential copyright violators
Tempting - moneypot
All minehelliphelliphellip
Ooops
Honeypot Principle
Focus on detecting threats Here wersquod like to know immediately someone has broken into the network
and in places they shouldnrsquot be
Ensure the honeypot looks appealing to the attacker The honeypot must look legitimate amp enticing
In this attack scenario the defender has particular advantage Once attackers initially land inside your internal network theyrsquore at a
disadvantage They donrsquot know the lay of the land and they need to explore it (reconnaissance) while remaining hidden
Defence through Deception
Deception is a highly effective solution for protecting environments used to confuse delay and redirect the enemy
Lured to the Canary Honeypot the attacker will be tricked into engaging with that device and believe they are being successful in their attack
Canary ndash Today and Tomorrow
Canary - great for remote sites but what about our VM data centres
What about integration with established enterprise monitoring frameworks such as Openview CA or Microsoft SCOM
Console management limit on the number of deployed Canaries
Are ldquoCanarytokensrdquo part of tomorrowrsquos planning
Identification amp Authorisation
A new way forward
TokensTokens - In general a token is an object that represents something else such as another object (either physical or virtual) or an abstract concept In computer systems there are a number of types of tokens both hardware and software
In human terms a token of trust can exist between two parties with such levels of trust reinforced through personal introductions with other partiesA token generation amp management platform designed specifically for high security multi-services in public and private clouds
greatly enhances trustworthy information handling
Identification with Passwords Any directory service or managementplatform holding passwords becomes atarget by the attacker for credentialsrsquo theft
Passwords are fundamentally flawed Often easy to guess Are reused across different services Are written down or stored or shared Can be intercepted Are expensive to maintain 29 of all cybercrime is from stolen
passwords
Identification WITHOUT Password
The Problem The password has outlived itrsquos usefulness
Secure Cloudlinkrsquos Response Patented and highly secure tokenised message management
solution assures password redundancy User credentials are not transmitted stored or replicated Secure digital services - a snap for the user
Randomised encrypted key generation ndashno consistent key to be stolen
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
Cyber Fraud
ldquohellipOnline fraudsters stole pound109bn in the UK last yearhelliprdquo
ldquohellip39 (of respondents) questioned by ldquoGet Safe Onlinerdquo said they were a victim of cybercrime but did not report ithelliprdquo
ldquohellip53 received phishing messageshelliprdquo
Extract from The Telegraph 20th October 2016
Cyber Crime is a War ZoneldquoRouse him and learn the principle of his activity or inactivity Force him to reveal himself so as to find out his vulnerable spotsrdquoldquoIf you know the enemy and know yourself you need not fear the results of a hundred battlesrdquo
- Sun Tzu Military General Strategist amp Philosopher 5th Century BC ChinaDeception is a powerful effective but under utilised tool ndash (at least by defenders)
Full range of ldquoeffectsrdquo on adversaries possible through deception
Effects Attacker Defender
Fail to observe
Prevent the defender from detecting the attack Prevent the attacker from discovering their target
Reveal
Trick the defender into providing access Trick the attacker into revealing their presence
Waste Time
Focus the defenderrsquos attention on the wrong aspects of the incident
Focus the attackerrsquos efforts on the wrong target
Deception Effects - Attacker amp Defender
Operation Mincemeat - 1943
Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
Operation Mincemeat - 1943Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
This was accomplished by persuading the Germans that they had by accident intercepted top secret documents giving details of Allied war plans
Attack Surface Attribution Residency
DeniabilityFrom the living room to the boardroom
Attack Surface
From ordinary consumers to a single-office business through the regulatory bodies to the national and global giants
The environment dictates the approach ndash no ldquoSilver Bulletrdquo
Layered security ndash combining multiple mitigating security controls to cost effectively protect resources amp data
Attack AttributionAt which point in the attack do you realise that you have been hacked
TalkTalk DNC Yahoo
There are very few ldquosmoking gunsrdquo visible
Attacks that often begin with broadly targeted phishing that can introduce amp run new binaries on victims networks amp that connect to random internal hosts using exfiltrated credentials can still remain hidden for a year
Examples of Global IT Vendorsrsquo Vulnerabilities
Microsoft Microsoft August (2016) Patch Tuesday included five updates rated
critical out of a total of nine bringing the number of patches for the year-to-date at 103
SAP There are vulnerabilities in almost every SAP module CRM EP and SRM
are leaders among them ERPScan SAP Cyber Threat Report2016
Oracle MICROS (and others) In total more than one million PoS terminals around the world could be
at risk should the attacks prove to have been deeper than the companies are currently publicly admitting
Computing Aug
Dwell TimeResidency
Mandiant reported that attackers on average lurked on a network for 205 days before being discoveredsup1
Microsoft recently reported they place the number at more than 200 days to detect a security breach and 80 days to contain itsup2
1 httpswww2fireeyecomrsfireyeimagesrpt-m-trends-2015pdf2 httpsblogswindowscomwindowsexperience20160301announcing-windows-defender-advanced-threat-protection
Plausible Deniability amp Malware Intrusion
Plausible deniability refers to circumstances where a denial of responsibility or knowledge of wrong doing cannot be proved as true or untrue due to a lack of evidence proving the allegation
It is a basic law for the cheat and the deceiver Be able to offer up an excuse that cannot be disproved easily and that makes sense for the situation
Trickle-down Effects
Increasing rapidity of car-trickle-down yester-yearsrsquo top end car innovations eventually migrate through the models becoming standard options in lower-priced vehicles
This pattern of innovation holds true in virtually every field including cyber- security
Malware as a Service (MaaS) ndash moving from the heavily funded specialist cyber experts down into the mass market
MaaS now commonly available at very low cost through the darknet and sites such TOR I2p
Honeypots amp TokensEvolution Mimicry
Honeypots
Venus Flytrap in Action (triggered honeypot)
Trojan Horse (passive honeypot) Greeks built used to enter the city of Troy and win the 10 year Trojan war - 4th Century story
Cartography A trap street (passive honeypot) is a fictitious entry in the form of a misrepresented street for the purpose of trapping potential copyright violators
Tempting - moneypot
All minehelliphelliphellip
Ooops
Honeypot Principle
Focus on detecting threats Here wersquod like to know immediately someone has broken into the network
and in places they shouldnrsquot be
Ensure the honeypot looks appealing to the attacker The honeypot must look legitimate amp enticing
In this attack scenario the defender has particular advantage Once attackers initially land inside your internal network theyrsquore at a
disadvantage They donrsquot know the lay of the land and they need to explore it (reconnaissance) while remaining hidden
Defence through Deception
Deception is a highly effective solution for protecting environments used to confuse delay and redirect the enemy
Lured to the Canary Honeypot the attacker will be tricked into engaging with that device and believe they are being successful in their attack
Canary ndash Today and Tomorrow
Canary - great for remote sites but what about our VM data centres
What about integration with established enterprise monitoring frameworks such as Openview CA or Microsoft SCOM
Console management limit on the number of deployed Canaries
Are ldquoCanarytokensrdquo part of tomorrowrsquos planning
Identification amp Authorisation
A new way forward
TokensTokens - In general a token is an object that represents something else such as another object (either physical or virtual) or an abstract concept In computer systems there are a number of types of tokens both hardware and software
In human terms a token of trust can exist between two parties with such levels of trust reinforced through personal introductions with other partiesA token generation amp management platform designed specifically for high security multi-services in public and private clouds
greatly enhances trustworthy information handling
Identification with Passwords Any directory service or managementplatform holding passwords becomes atarget by the attacker for credentialsrsquo theft
Passwords are fundamentally flawed Often easy to guess Are reused across different services Are written down or stored or shared Can be intercepted Are expensive to maintain 29 of all cybercrime is from stolen
passwords
Identification WITHOUT Password
The Problem The password has outlived itrsquos usefulness
Secure Cloudlinkrsquos Response Patented and highly secure tokenised message management
solution assures password redundancy User credentials are not transmitted stored or replicated Secure digital services - a snap for the user
Randomised encrypted key generation ndashno consistent key to be stolen
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
Cyber Crime is a War ZoneldquoRouse him and learn the principle of his activity or inactivity Force him to reveal himself so as to find out his vulnerable spotsrdquoldquoIf you know the enemy and know yourself you need not fear the results of a hundred battlesrdquo
- Sun Tzu Military General Strategist amp Philosopher 5th Century BC ChinaDeception is a powerful effective but under utilised tool ndash (at least by defenders)
Full range of ldquoeffectsrdquo on adversaries possible through deception
Effects Attacker Defender
Fail to observe
Prevent the defender from detecting the attack Prevent the attacker from discovering their target
Reveal
Trick the defender into providing access Trick the attacker into revealing their presence
Waste Time
Focus the defenderrsquos attention on the wrong aspects of the incident
Focus the attackerrsquos efforts on the wrong target
Deception Effects - Attacker amp Defender
Operation Mincemeat - 1943
Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
Operation Mincemeat - 1943Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
This was accomplished by persuading the Germans that they had by accident intercepted top secret documents giving details of Allied war plans
Attack Surface Attribution Residency
DeniabilityFrom the living room to the boardroom
Attack Surface
From ordinary consumers to a single-office business through the regulatory bodies to the national and global giants
The environment dictates the approach ndash no ldquoSilver Bulletrdquo
Layered security ndash combining multiple mitigating security controls to cost effectively protect resources amp data
Attack AttributionAt which point in the attack do you realise that you have been hacked
TalkTalk DNC Yahoo
There are very few ldquosmoking gunsrdquo visible
Attacks that often begin with broadly targeted phishing that can introduce amp run new binaries on victims networks amp that connect to random internal hosts using exfiltrated credentials can still remain hidden for a year
Examples of Global IT Vendorsrsquo Vulnerabilities
Microsoft Microsoft August (2016) Patch Tuesday included five updates rated
critical out of a total of nine bringing the number of patches for the year-to-date at 103
SAP There are vulnerabilities in almost every SAP module CRM EP and SRM
are leaders among them ERPScan SAP Cyber Threat Report2016
Oracle MICROS (and others) In total more than one million PoS terminals around the world could be
at risk should the attacks prove to have been deeper than the companies are currently publicly admitting
Computing Aug
Dwell TimeResidency
Mandiant reported that attackers on average lurked on a network for 205 days before being discoveredsup1
Microsoft recently reported they place the number at more than 200 days to detect a security breach and 80 days to contain itsup2
1 httpswww2fireeyecomrsfireyeimagesrpt-m-trends-2015pdf2 httpsblogswindowscomwindowsexperience20160301announcing-windows-defender-advanced-threat-protection
Plausible Deniability amp Malware Intrusion
Plausible deniability refers to circumstances where a denial of responsibility or knowledge of wrong doing cannot be proved as true or untrue due to a lack of evidence proving the allegation
It is a basic law for the cheat and the deceiver Be able to offer up an excuse that cannot be disproved easily and that makes sense for the situation
Trickle-down Effects
Increasing rapidity of car-trickle-down yester-yearsrsquo top end car innovations eventually migrate through the models becoming standard options in lower-priced vehicles
This pattern of innovation holds true in virtually every field including cyber- security
Malware as a Service (MaaS) ndash moving from the heavily funded specialist cyber experts down into the mass market
MaaS now commonly available at very low cost through the darknet and sites such TOR I2p
Honeypots amp TokensEvolution Mimicry
Honeypots
Venus Flytrap in Action (triggered honeypot)
Trojan Horse (passive honeypot) Greeks built used to enter the city of Troy and win the 10 year Trojan war - 4th Century story
Cartography A trap street (passive honeypot) is a fictitious entry in the form of a misrepresented street for the purpose of trapping potential copyright violators
Tempting - moneypot
All minehelliphelliphellip
Ooops
Honeypot Principle
Focus on detecting threats Here wersquod like to know immediately someone has broken into the network
and in places they shouldnrsquot be
Ensure the honeypot looks appealing to the attacker The honeypot must look legitimate amp enticing
In this attack scenario the defender has particular advantage Once attackers initially land inside your internal network theyrsquore at a
disadvantage They donrsquot know the lay of the land and they need to explore it (reconnaissance) while remaining hidden
Defence through Deception
Deception is a highly effective solution for protecting environments used to confuse delay and redirect the enemy
Lured to the Canary Honeypot the attacker will be tricked into engaging with that device and believe they are being successful in their attack
Canary ndash Today and Tomorrow
Canary - great for remote sites but what about our VM data centres
What about integration with established enterprise monitoring frameworks such as Openview CA or Microsoft SCOM
Console management limit on the number of deployed Canaries
Are ldquoCanarytokensrdquo part of tomorrowrsquos planning
Identification amp Authorisation
A new way forward
TokensTokens - In general a token is an object that represents something else such as another object (either physical or virtual) or an abstract concept In computer systems there are a number of types of tokens both hardware and software
In human terms a token of trust can exist between two parties with such levels of trust reinforced through personal introductions with other partiesA token generation amp management platform designed specifically for high security multi-services in public and private clouds
greatly enhances trustworthy information handling
Identification with Passwords Any directory service or managementplatform holding passwords becomes atarget by the attacker for credentialsrsquo theft
Passwords are fundamentally flawed Often easy to guess Are reused across different services Are written down or stored or shared Can be intercepted Are expensive to maintain 29 of all cybercrime is from stolen
passwords
Identification WITHOUT Password
The Problem The password has outlived itrsquos usefulness
Secure Cloudlinkrsquos Response Patented and highly secure tokenised message management
solution assures password redundancy User credentials are not transmitted stored or replicated Secure digital services - a snap for the user
Randomised encrypted key generation ndashno consistent key to be stolen
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
Effects Attacker Defender
Fail to observe
Prevent the defender from detecting the attack Prevent the attacker from discovering their target
Reveal
Trick the defender into providing access Trick the attacker into revealing their presence
Waste Time
Focus the defenderrsquos attention on the wrong aspects of the incident
Focus the attackerrsquos efforts on the wrong target
Deception Effects - Attacker amp Defender
Operation Mincemeat - 1943
Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
Operation Mincemeat - 1943Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
This was accomplished by persuading the Germans that they had by accident intercepted top secret documents giving details of Allied war plans
Attack Surface Attribution Residency
DeniabilityFrom the living room to the boardroom
Attack Surface
From ordinary consumers to a single-office business through the regulatory bodies to the national and global giants
The environment dictates the approach ndash no ldquoSilver Bulletrdquo
Layered security ndash combining multiple mitigating security controls to cost effectively protect resources amp data
Attack AttributionAt which point in the attack do you realise that you have been hacked
TalkTalk DNC Yahoo
There are very few ldquosmoking gunsrdquo visible
Attacks that often begin with broadly targeted phishing that can introduce amp run new binaries on victims networks amp that connect to random internal hosts using exfiltrated credentials can still remain hidden for a year
Examples of Global IT Vendorsrsquo Vulnerabilities
Microsoft Microsoft August (2016) Patch Tuesday included five updates rated
critical out of a total of nine bringing the number of patches for the year-to-date at 103
SAP There are vulnerabilities in almost every SAP module CRM EP and SRM
are leaders among them ERPScan SAP Cyber Threat Report2016
Oracle MICROS (and others) In total more than one million PoS terminals around the world could be
at risk should the attacks prove to have been deeper than the companies are currently publicly admitting
Computing Aug
Dwell TimeResidency
Mandiant reported that attackers on average lurked on a network for 205 days before being discoveredsup1
Microsoft recently reported they place the number at more than 200 days to detect a security breach and 80 days to contain itsup2
1 httpswww2fireeyecomrsfireyeimagesrpt-m-trends-2015pdf2 httpsblogswindowscomwindowsexperience20160301announcing-windows-defender-advanced-threat-protection
Plausible Deniability amp Malware Intrusion
Plausible deniability refers to circumstances where a denial of responsibility or knowledge of wrong doing cannot be proved as true or untrue due to a lack of evidence proving the allegation
It is a basic law for the cheat and the deceiver Be able to offer up an excuse that cannot be disproved easily and that makes sense for the situation
Trickle-down Effects
Increasing rapidity of car-trickle-down yester-yearsrsquo top end car innovations eventually migrate through the models becoming standard options in lower-priced vehicles
This pattern of innovation holds true in virtually every field including cyber- security
Malware as a Service (MaaS) ndash moving from the heavily funded specialist cyber experts down into the mass market
MaaS now commonly available at very low cost through the darknet and sites such TOR I2p
Honeypots amp TokensEvolution Mimicry
Honeypots
Venus Flytrap in Action (triggered honeypot)
Trojan Horse (passive honeypot) Greeks built used to enter the city of Troy and win the 10 year Trojan war - 4th Century story
Cartography A trap street (passive honeypot) is a fictitious entry in the form of a misrepresented street for the purpose of trapping potential copyright violators
Tempting - moneypot
All minehelliphelliphellip
Ooops
Honeypot Principle
Focus on detecting threats Here wersquod like to know immediately someone has broken into the network
and in places they shouldnrsquot be
Ensure the honeypot looks appealing to the attacker The honeypot must look legitimate amp enticing
In this attack scenario the defender has particular advantage Once attackers initially land inside your internal network theyrsquore at a
disadvantage They donrsquot know the lay of the land and they need to explore it (reconnaissance) while remaining hidden
Defence through Deception
Deception is a highly effective solution for protecting environments used to confuse delay and redirect the enemy
Lured to the Canary Honeypot the attacker will be tricked into engaging with that device and believe they are being successful in their attack
Canary ndash Today and Tomorrow
Canary - great for remote sites but what about our VM data centres
What about integration with established enterprise monitoring frameworks such as Openview CA or Microsoft SCOM
Console management limit on the number of deployed Canaries
Are ldquoCanarytokensrdquo part of tomorrowrsquos planning
Identification amp Authorisation
A new way forward
TokensTokens - In general a token is an object that represents something else such as another object (either physical or virtual) or an abstract concept In computer systems there are a number of types of tokens both hardware and software
In human terms a token of trust can exist between two parties with such levels of trust reinforced through personal introductions with other partiesA token generation amp management platform designed specifically for high security multi-services in public and private clouds
greatly enhances trustworthy information handling
Identification with Passwords Any directory service or managementplatform holding passwords becomes atarget by the attacker for credentialsrsquo theft
Passwords are fundamentally flawed Often easy to guess Are reused across different services Are written down or stored or shared Can be intercepted Are expensive to maintain 29 of all cybercrime is from stolen
passwords
Identification WITHOUT Password
The Problem The password has outlived itrsquos usefulness
Secure Cloudlinkrsquos Response Patented and highly secure tokenised message management
solution assures password redundancy User credentials are not transmitted stored or replicated Secure digital services - a snap for the user
Randomised encrypted key generation ndashno consistent key to be stolen
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
Operation Mincemeat - 1943
Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
Operation Mincemeat - 1943Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
This was accomplished by persuading the Germans that they had by accident intercepted top secret documents giving details of Allied war plans
Attack Surface Attribution Residency
DeniabilityFrom the living room to the boardroom
Attack Surface
From ordinary consumers to a single-office business through the regulatory bodies to the national and global giants
The environment dictates the approach ndash no ldquoSilver Bulletrdquo
Layered security ndash combining multiple mitigating security controls to cost effectively protect resources amp data
Attack AttributionAt which point in the attack do you realise that you have been hacked
TalkTalk DNC Yahoo
There are very few ldquosmoking gunsrdquo visible
Attacks that often begin with broadly targeted phishing that can introduce amp run new binaries on victims networks amp that connect to random internal hosts using exfiltrated credentials can still remain hidden for a year
Examples of Global IT Vendorsrsquo Vulnerabilities
Microsoft Microsoft August (2016) Patch Tuesday included five updates rated
critical out of a total of nine bringing the number of patches for the year-to-date at 103
SAP There are vulnerabilities in almost every SAP module CRM EP and SRM
are leaders among them ERPScan SAP Cyber Threat Report2016
Oracle MICROS (and others) In total more than one million PoS terminals around the world could be
at risk should the attacks prove to have been deeper than the companies are currently publicly admitting
Computing Aug
Dwell TimeResidency
Mandiant reported that attackers on average lurked on a network for 205 days before being discoveredsup1
Microsoft recently reported they place the number at more than 200 days to detect a security breach and 80 days to contain itsup2
1 httpswww2fireeyecomrsfireyeimagesrpt-m-trends-2015pdf2 httpsblogswindowscomwindowsexperience20160301announcing-windows-defender-advanced-threat-protection
Plausible Deniability amp Malware Intrusion
Plausible deniability refers to circumstances where a denial of responsibility or knowledge of wrong doing cannot be proved as true or untrue due to a lack of evidence proving the allegation
It is a basic law for the cheat and the deceiver Be able to offer up an excuse that cannot be disproved easily and that makes sense for the situation
Trickle-down Effects
Increasing rapidity of car-trickle-down yester-yearsrsquo top end car innovations eventually migrate through the models becoming standard options in lower-priced vehicles
This pattern of innovation holds true in virtually every field including cyber- security
Malware as a Service (MaaS) ndash moving from the heavily funded specialist cyber experts down into the mass market
MaaS now commonly available at very low cost through the darknet and sites such TOR I2p
Honeypots amp TokensEvolution Mimicry
Honeypots
Venus Flytrap in Action (triggered honeypot)
Trojan Horse (passive honeypot) Greeks built used to enter the city of Troy and win the 10 year Trojan war - 4th Century story
Cartography A trap street (passive honeypot) is a fictitious entry in the form of a misrepresented street for the purpose of trapping potential copyright violators
Tempting - moneypot
All minehelliphelliphellip
Ooops
Honeypot Principle
Focus on detecting threats Here wersquod like to know immediately someone has broken into the network
and in places they shouldnrsquot be
Ensure the honeypot looks appealing to the attacker The honeypot must look legitimate amp enticing
In this attack scenario the defender has particular advantage Once attackers initially land inside your internal network theyrsquore at a
disadvantage They donrsquot know the lay of the land and they need to explore it (reconnaissance) while remaining hidden
Defence through Deception
Deception is a highly effective solution for protecting environments used to confuse delay and redirect the enemy
Lured to the Canary Honeypot the attacker will be tricked into engaging with that device and believe they are being successful in their attack
Canary ndash Today and Tomorrow
Canary - great for remote sites but what about our VM data centres
What about integration with established enterprise monitoring frameworks such as Openview CA or Microsoft SCOM
Console management limit on the number of deployed Canaries
Are ldquoCanarytokensrdquo part of tomorrowrsquos planning
Identification amp Authorisation
A new way forward
TokensTokens - In general a token is an object that represents something else such as another object (either physical or virtual) or an abstract concept In computer systems there are a number of types of tokens both hardware and software
In human terms a token of trust can exist between two parties with such levels of trust reinforced through personal introductions with other partiesA token generation amp management platform designed specifically for high security multi-services in public and private clouds
greatly enhances trustworthy information handling
Identification with Passwords Any directory service or managementplatform holding passwords becomes atarget by the attacker for credentialsrsquo theft
Passwords are fundamentally flawed Often easy to guess Are reused across different services Are written down or stored or shared Can be intercepted Are expensive to maintain 29 of all cybercrime is from stolen
passwords
Identification WITHOUT Password
The Problem The password has outlived itrsquos usefulness
Secure Cloudlinkrsquos Response Patented and highly secure tokenised message management
solution assures password redundancy User credentials are not transmitted stored or replicated Secure digital services - a snap for the user
Randomised encrypted key generation ndashno consistent key to be stolen
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
Operation Mincemeat - 1943Successful British disinformation plan during the Second World War to cover the invasion of Italy from North Africa To convince the Germans that instead of attacking Sicily the Allied armies would invade Greece
This was accomplished by persuading the Germans that they had by accident intercepted top secret documents giving details of Allied war plans
Attack Surface Attribution Residency
DeniabilityFrom the living room to the boardroom
Attack Surface
From ordinary consumers to a single-office business through the regulatory bodies to the national and global giants
The environment dictates the approach ndash no ldquoSilver Bulletrdquo
Layered security ndash combining multiple mitigating security controls to cost effectively protect resources amp data
Attack AttributionAt which point in the attack do you realise that you have been hacked
TalkTalk DNC Yahoo
There are very few ldquosmoking gunsrdquo visible
Attacks that often begin with broadly targeted phishing that can introduce amp run new binaries on victims networks amp that connect to random internal hosts using exfiltrated credentials can still remain hidden for a year
Examples of Global IT Vendorsrsquo Vulnerabilities
Microsoft Microsoft August (2016) Patch Tuesday included five updates rated
critical out of a total of nine bringing the number of patches for the year-to-date at 103
SAP There are vulnerabilities in almost every SAP module CRM EP and SRM
are leaders among them ERPScan SAP Cyber Threat Report2016
Oracle MICROS (and others) In total more than one million PoS terminals around the world could be
at risk should the attacks prove to have been deeper than the companies are currently publicly admitting
Computing Aug
Dwell TimeResidency
Mandiant reported that attackers on average lurked on a network for 205 days before being discoveredsup1
Microsoft recently reported they place the number at more than 200 days to detect a security breach and 80 days to contain itsup2
1 httpswww2fireeyecomrsfireyeimagesrpt-m-trends-2015pdf2 httpsblogswindowscomwindowsexperience20160301announcing-windows-defender-advanced-threat-protection
Plausible Deniability amp Malware Intrusion
Plausible deniability refers to circumstances where a denial of responsibility or knowledge of wrong doing cannot be proved as true or untrue due to a lack of evidence proving the allegation
It is a basic law for the cheat and the deceiver Be able to offer up an excuse that cannot be disproved easily and that makes sense for the situation
Trickle-down Effects
Increasing rapidity of car-trickle-down yester-yearsrsquo top end car innovations eventually migrate through the models becoming standard options in lower-priced vehicles
This pattern of innovation holds true in virtually every field including cyber- security
Malware as a Service (MaaS) ndash moving from the heavily funded specialist cyber experts down into the mass market
MaaS now commonly available at very low cost through the darknet and sites such TOR I2p
Honeypots amp TokensEvolution Mimicry
Honeypots
Venus Flytrap in Action (triggered honeypot)
Trojan Horse (passive honeypot) Greeks built used to enter the city of Troy and win the 10 year Trojan war - 4th Century story
Cartography A trap street (passive honeypot) is a fictitious entry in the form of a misrepresented street for the purpose of trapping potential copyright violators
Tempting - moneypot
All minehelliphelliphellip
Ooops
Honeypot Principle
Focus on detecting threats Here wersquod like to know immediately someone has broken into the network
and in places they shouldnrsquot be
Ensure the honeypot looks appealing to the attacker The honeypot must look legitimate amp enticing
In this attack scenario the defender has particular advantage Once attackers initially land inside your internal network theyrsquore at a
disadvantage They donrsquot know the lay of the land and they need to explore it (reconnaissance) while remaining hidden
Defence through Deception
Deception is a highly effective solution for protecting environments used to confuse delay and redirect the enemy
Lured to the Canary Honeypot the attacker will be tricked into engaging with that device and believe they are being successful in their attack
Canary ndash Today and Tomorrow
Canary - great for remote sites but what about our VM data centres
What about integration with established enterprise monitoring frameworks such as Openview CA or Microsoft SCOM
Console management limit on the number of deployed Canaries
Are ldquoCanarytokensrdquo part of tomorrowrsquos planning
Identification amp Authorisation
A new way forward
TokensTokens - In general a token is an object that represents something else such as another object (either physical or virtual) or an abstract concept In computer systems there are a number of types of tokens both hardware and software
In human terms a token of trust can exist between two parties with such levels of trust reinforced through personal introductions with other partiesA token generation amp management platform designed specifically for high security multi-services in public and private clouds
greatly enhances trustworthy information handling
Identification with Passwords Any directory service or managementplatform holding passwords becomes atarget by the attacker for credentialsrsquo theft
Passwords are fundamentally flawed Often easy to guess Are reused across different services Are written down or stored or shared Can be intercepted Are expensive to maintain 29 of all cybercrime is from stolen
passwords
Identification WITHOUT Password
The Problem The password has outlived itrsquos usefulness
Secure Cloudlinkrsquos Response Patented and highly secure tokenised message management
solution assures password redundancy User credentials are not transmitted stored or replicated Secure digital services - a snap for the user
Randomised encrypted key generation ndashno consistent key to be stolen
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
Attack Surface Attribution Residency
DeniabilityFrom the living room to the boardroom
Attack Surface
From ordinary consumers to a single-office business through the regulatory bodies to the national and global giants
The environment dictates the approach ndash no ldquoSilver Bulletrdquo
Layered security ndash combining multiple mitigating security controls to cost effectively protect resources amp data
Attack AttributionAt which point in the attack do you realise that you have been hacked
TalkTalk DNC Yahoo
There are very few ldquosmoking gunsrdquo visible
Attacks that often begin with broadly targeted phishing that can introduce amp run new binaries on victims networks amp that connect to random internal hosts using exfiltrated credentials can still remain hidden for a year
Examples of Global IT Vendorsrsquo Vulnerabilities
Microsoft Microsoft August (2016) Patch Tuesday included five updates rated
critical out of a total of nine bringing the number of patches for the year-to-date at 103
SAP There are vulnerabilities in almost every SAP module CRM EP and SRM
are leaders among them ERPScan SAP Cyber Threat Report2016
Oracle MICROS (and others) In total more than one million PoS terminals around the world could be
at risk should the attacks prove to have been deeper than the companies are currently publicly admitting
Computing Aug
Dwell TimeResidency
Mandiant reported that attackers on average lurked on a network for 205 days before being discoveredsup1
Microsoft recently reported they place the number at more than 200 days to detect a security breach and 80 days to contain itsup2
1 httpswww2fireeyecomrsfireyeimagesrpt-m-trends-2015pdf2 httpsblogswindowscomwindowsexperience20160301announcing-windows-defender-advanced-threat-protection
Plausible Deniability amp Malware Intrusion
Plausible deniability refers to circumstances where a denial of responsibility or knowledge of wrong doing cannot be proved as true or untrue due to a lack of evidence proving the allegation
It is a basic law for the cheat and the deceiver Be able to offer up an excuse that cannot be disproved easily and that makes sense for the situation
Trickle-down Effects
Increasing rapidity of car-trickle-down yester-yearsrsquo top end car innovations eventually migrate through the models becoming standard options in lower-priced vehicles
This pattern of innovation holds true in virtually every field including cyber- security
Malware as a Service (MaaS) ndash moving from the heavily funded specialist cyber experts down into the mass market
MaaS now commonly available at very low cost through the darknet and sites such TOR I2p
Honeypots amp TokensEvolution Mimicry
Honeypots
Venus Flytrap in Action (triggered honeypot)
Trojan Horse (passive honeypot) Greeks built used to enter the city of Troy and win the 10 year Trojan war - 4th Century story
Cartography A trap street (passive honeypot) is a fictitious entry in the form of a misrepresented street for the purpose of trapping potential copyright violators
Tempting - moneypot
All minehelliphelliphellip
Ooops
Honeypot Principle
Focus on detecting threats Here wersquod like to know immediately someone has broken into the network
and in places they shouldnrsquot be
Ensure the honeypot looks appealing to the attacker The honeypot must look legitimate amp enticing
In this attack scenario the defender has particular advantage Once attackers initially land inside your internal network theyrsquore at a
disadvantage They donrsquot know the lay of the land and they need to explore it (reconnaissance) while remaining hidden
Defence through Deception
Deception is a highly effective solution for protecting environments used to confuse delay and redirect the enemy
Lured to the Canary Honeypot the attacker will be tricked into engaging with that device and believe they are being successful in their attack
Canary ndash Today and Tomorrow
Canary - great for remote sites but what about our VM data centres
What about integration with established enterprise monitoring frameworks such as Openview CA or Microsoft SCOM
Console management limit on the number of deployed Canaries
Are ldquoCanarytokensrdquo part of tomorrowrsquos planning
Identification amp Authorisation
A new way forward
TokensTokens - In general a token is an object that represents something else such as another object (either physical or virtual) or an abstract concept In computer systems there are a number of types of tokens both hardware and software
In human terms a token of trust can exist between two parties with such levels of trust reinforced through personal introductions with other partiesA token generation amp management platform designed specifically for high security multi-services in public and private clouds
greatly enhances trustworthy information handling
Identification with Passwords Any directory service or managementplatform holding passwords becomes atarget by the attacker for credentialsrsquo theft
Passwords are fundamentally flawed Often easy to guess Are reused across different services Are written down or stored or shared Can be intercepted Are expensive to maintain 29 of all cybercrime is from stolen
passwords
Identification WITHOUT Password
The Problem The password has outlived itrsquos usefulness
Secure Cloudlinkrsquos Response Patented and highly secure tokenised message management
solution assures password redundancy User credentials are not transmitted stored or replicated Secure digital services - a snap for the user
Randomised encrypted key generation ndashno consistent key to be stolen
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
Attack Surface
From ordinary consumers to a single-office business through the regulatory bodies to the national and global giants
The environment dictates the approach ndash no ldquoSilver Bulletrdquo
Layered security ndash combining multiple mitigating security controls to cost effectively protect resources amp data
Attack AttributionAt which point in the attack do you realise that you have been hacked
TalkTalk DNC Yahoo
There are very few ldquosmoking gunsrdquo visible
Attacks that often begin with broadly targeted phishing that can introduce amp run new binaries on victims networks amp that connect to random internal hosts using exfiltrated credentials can still remain hidden for a year
Examples of Global IT Vendorsrsquo Vulnerabilities
Microsoft Microsoft August (2016) Patch Tuesday included five updates rated
critical out of a total of nine bringing the number of patches for the year-to-date at 103
SAP There are vulnerabilities in almost every SAP module CRM EP and SRM
are leaders among them ERPScan SAP Cyber Threat Report2016
Oracle MICROS (and others) In total more than one million PoS terminals around the world could be
at risk should the attacks prove to have been deeper than the companies are currently publicly admitting
Computing Aug
Dwell TimeResidency
Mandiant reported that attackers on average lurked on a network for 205 days before being discoveredsup1
Microsoft recently reported they place the number at more than 200 days to detect a security breach and 80 days to contain itsup2
1 httpswww2fireeyecomrsfireyeimagesrpt-m-trends-2015pdf2 httpsblogswindowscomwindowsexperience20160301announcing-windows-defender-advanced-threat-protection
Plausible Deniability amp Malware Intrusion
Plausible deniability refers to circumstances where a denial of responsibility or knowledge of wrong doing cannot be proved as true or untrue due to a lack of evidence proving the allegation
It is a basic law for the cheat and the deceiver Be able to offer up an excuse that cannot be disproved easily and that makes sense for the situation
Trickle-down Effects
Increasing rapidity of car-trickle-down yester-yearsrsquo top end car innovations eventually migrate through the models becoming standard options in lower-priced vehicles
This pattern of innovation holds true in virtually every field including cyber- security
Malware as a Service (MaaS) ndash moving from the heavily funded specialist cyber experts down into the mass market
MaaS now commonly available at very low cost through the darknet and sites such TOR I2p
Honeypots amp TokensEvolution Mimicry
Honeypots
Venus Flytrap in Action (triggered honeypot)
Trojan Horse (passive honeypot) Greeks built used to enter the city of Troy and win the 10 year Trojan war - 4th Century story
Cartography A trap street (passive honeypot) is a fictitious entry in the form of a misrepresented street for the purpose of trapping potential copyright violators
Tempting - moneypot
All minehelliphelliphellip
Ooops
Honeypot Principle
Focus on detecting threats Here wersquod like to know immediately someone has broken into the network
and in places they shouldnrsquot be
Ensure the honeypot looks appealing to the attacker The honeypot must look legitimate amp enticing
In this attack scenario the defender has particular advantage Once attackers initially land inside your internal network theyrsquore at a
disadvantage They donrsquot know the lay of the land and they need to explore it (reconnaissance) while remaining hidden
Defence through Deception
Deception is a highly effective solution for protecting environments used to confuse delay and redirect the enemy
Lured to the Canary Honeypot the attacker will be tricked into engaging with that device and believe they are being successful in their attack
Canary ndash Today and Tomorrow
Canary - great for remote sites but what about our VM data centres
What about integration with established enterprise monitoring frameworks such as Openview CA or Microsoft SCOM
Console management limit on the number of deployed Canaries
Are ldquoCanarytokensrdquo part of tomorrowrsquos planning
Identification amp Authorisation
A new way forward
TokensTokens - In general a token is an object that represents something else such as another object (either physical or virtual) or an abstract concept In computer systems there are a number of types of tokens both hardware and software
In human terms a token of trust can exist between two parties with such levels of trust reinforced through personal introductions with other partiesA token generation amp management platform designed specifically for high security multi-services in public and private clouds
greatly enhances trustworthy information handling
Identification with Passwords Any directory service or managementplatform holding passwords becomes atarget by the attacker for credentialsrsquo theft
Passwords are fundamentally flawed Often easy to guess Are reused across different services Are written down or stored or shared Can be intercepted Are expensive to maintain 29 of all cybercrime is from stolen
passwords
Identification WITHOUT Password
The Problem The password has outlived itrsquos usefulness
Secure Cloudlinkrsquos Response Patented and highly secure tokenised message management
solution assures password redundancy User credentials are not transmitted stored or replicated Secure digital services - a snap for the user
Randomised encrypted key generation ndashno consistent key to be stolen
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
Attack AttributionAt which point in the attack do you realise that you have been hacked
TalkTalk DNC Yahoo
There are very few ldquosmoking gunsrdquo visible
Attacks that often begin with broadly targeted phishing that can introduce amp run new binaries on victims networks amp that connect to random internal hosts using exfiltrated credentials can still remain hidden for a year
Examples of Global IT Vendorsrsquo Vulnerabilities
Microsoft Microsoft August (2016) Patch Tuesday included five updates rated
critical out of a total of nine bringing the number of patches for the year-to-date at 103
SAP There are vulnerabilities in almost every SAP module CRM EP and SRM
are leaders among them ERPScan SAP Cyber Threat Report2016
Oracle MICROS (and others) In total more than one million PoS terminals around the world could be
at risk should the attacks prove to have been deeper than the companies are currently publicly admitting
Computing Aug
Dwell TimeResidency
Mandiant reported that attackers on average lurked on a network for 205 days before being discoveredsup1
Microsoft recently reported they place the number at more than 200 days to detect a security breach and 80 days to contain itsup2
1 httpswww2fireeyecomrsfireyeimagesrpt-m-trends-2015pdf2 httpsblogswindowscomwindowsexperience20160301announcing-windows-defender-advanced-threat-protection
Plausible Deniability amp Malware Intrusion
Plausible deniability refers to circumstances where a denial of responsibility or knowledge of wrong doing cannot be proved as true or untrue due to a lack of evidence proving the allegation
It is a basic law for the cheat and the deceiver Be able to offer up an excuse that cannot be disproved easily and that makes sense for the situation
Trickle-down Effects
Increasing rapidity of car-trickle-down yester-yearsrsquo top end car innovations eventually migrate through the models becoming standard options in lower-priced vehicles
This pattern of innovation holds true in virtually every field including cyber- security
Malware as a Service (MaaS) ndash moving from the heavily funded specialist cyber experts down into the mass market
MaaS now commonly available at very low cost through the darknet and sites such TOR I2p
Honeypots amp TokensEvolution Mimicry
Honeypots
Venus Flytrap in Action (triggered honeypot)
Trojan Horse (passive honeypot) Greeks built used to enter the city of Troy and win the 10 year Trojan war - 4th Century story
Cartography A trap street (passive honeypot) is a fictitious entry in the form of a misrepresented street for the purpose of trapping potential copyright violators
Tempting - moneypot
All minehelliphelliphellip
Ooops
Honeypot Principle
Focus on detecting threats Here wersquod like to know immediately someone has broken into the network
and in places they shouldnrsquot be
Ensure the honeypot looks appealing to the attacker The honeypot must look legitimate amp enticing
In this attack scenario the defender has particular advantage Once attackers initially land inside your internal network theyrsquore at a
disadvantage They donrsquot know the lay of the land and they need to explore it (reconnaissance) while remaining hidden
Defence through Deception
Deception is a highly effective solution for protecting environments used to confuse delay and redirect the enemy
Lured to the Canary Honeypot the attacker will be tricked into engaging with that device and believe they are being successful in their attack
Canary ndash Today and Tomorrow
Canary - great for remote sites but what about our VM data centres
What about integration with established enterprise monitoring frameworks such as Openview CA or Microsoft SCOM
Console management limit on the number of deployed Canaries
Are ldquoCanarytokensrdquo part of tomorrowrsquos planning
Identification amp Authorisation
A new way forward
TokensTokens - In general a token is an object that represents something else such as another object (either physical or virtual) or an abstract concept In computer systems there are a number of types of tokens both hardware and software
In human terms a token of trust can exist between two parties with such levels of trust reinforced through personal introductions with other partiesA token generation amp management platform designed specifically for high security multi-services in public and private clouds
greatly enhances trustworthy information handling
Identification with Passwords Any directory service or managementplatform holding passwords becomes atarget by the attacker for credentialsrsquo theft
Passwords are fundamentally flawed Often easy to guess Are reused across different services Are written down or stored or shared Can be intercepted Are expensive to maintain 29 of all cybercrime is from stolen
passwords
Identification WITHOUT Password
The Problem The password has outlived itrsquos usefulness
Secure Cloudlinkrsquos Response Patented and highly secure tokenised message management
solution assures password redundancy User credentials are not transmitted stored or replicated Secure digital services - a snap for the user
Randomised encrypted key generation ndashno consistent key to be stolen
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
Examples of Global IT Vendorsrsquo Vulnerabilities
Microsoft Microsoft August (2016) Patch Tuesday included five updates rated
critical out of a total of nine bringing the number of patches for the year-to-date at 103
SAP There are vulnerabilities in almost every SAP module CRM EP and SRM
are leaders among them ERPScan SAP Cyber Threat Report2016
Oracle MICROS (and others) In total more than one million PoS terminals around the world could be
at risk should the attacks prove to have been deeper than the companies are currently publicly admitting
Computing Aug
Dwell TimeResidency
Mandiant reported that attackers on average lurked on a network for 205 days before being discoveredsup1
Microsoft recently reported they place the number at more than 200 days to detect a security breach and 80 days to contain itsup2
1 httpswww2fireeyecomrsfireyeimagesrpt-m-trends-2015pdf2 httpsblogswindowscomwindowsexperience20160301announcing-windows-defender-advanced-threat-protection
Plausible Deniability amp Malware Intrusion
Plausible deniability refers to circumstances where a denial of responsibility or knowledge of wrong doing cannot be proved as true or untrue due to a lack of evidence proving the allegation
It is a basic law for the cheat and the deceiver Be able to offer up an excuse that cannot be disproved easily and that makes sense for the situation
Trickle-down Effects
Increasing rapidity of car-trickle-down yester-yearsrsquo top end car innovations eventually migrate through the models becoming standard options in lower-priced vehicles
This pattern of innovation holds true in virtually every field including cyber- security
Malware as a Service (MaaS) ndash moving from the heavily funded specialist cyber experts down into the mass market
MaaS now commonly available at very low cost through the darknet and sites such TOR I2p
Honeypots amp TokensEvolution Mimicry
Honeypots
Venus Flytrap in Action (triggered honeypot)
Trojan Horse (passive honeypot) Greeks built used to enter the city of Troy and win the 10 year Trojan war - 4th Century story
Cartography A trap street (passive honeypot) is a fictitious entry in the form of a misrepresented street for the purpose of trapping potential copyright violators
Tempting - moneypot
All minehelliphelliphellip
Ooops
Honeypot Principle
Focus on detecting threats Here wersquod like to know immediately someone has broken into the network
and in places they shouldnrsquot be
Ensure the honeypot looks appealing to the attacker The honeypot must look legitimate amp enticing
In this attack scenario the defender has particular advantage Once attackers initially land inside your internal network theyrsquore at a
disadvantage They donrsquot know the lay of the land and they need to explore it (reconnaissance) while remaining hidden
Defence through Deception
Deception is a highly effective solution for protecting environments used to confuse delay and redirect the enemy
Lured to the Canary Honeypot the attacker will be tricked into engaging with that device and believe they are being successful in their attack
Canary ndash Today and Tomorrow
Canary - great for remote sites but what about our VM data centres
What about integration with established enterprise monitoring frameworks such as Openview CA or Microsoft SCOM
Console management limit on the number of deployed Canaries
Are ldquoCanarytokensrdquo part of tomorrowrsquos planning
Identification amp Authorisation
A new way forward
TokensTokens - In general a token is an object that represents something else such as another object (either physical or virtual) or an abstract concept In computer systems there are a number of types of tokens both hardware and software
In human terms a token of trust can exist between two parties with such levels of trust reinforced through personal introductions with other partiesA token generation amp management platform designed specifically for high security multi-services in public and private clouds
greatly enhances trustworthy information handling
Identification with Passwords Any directory service or managementplatform holding passwords becomes atarget by the attacker for credentialsrsquo theft
Passwords are fundamentally flawed Often easy to guess Are reused across different services Are written down or stored or shared Can be intercepted Are expensive to maintain 29 of all cybercrime is from stolen
passwords
Identification WITHOUT Password
The Problem The password has outlived itrsquos usefulness
Secure Cloudlinkrsquos Response Patented and highly secure tokenised message management
solution assures password redundancy User credentials are not transmitted stored or replicated Secure digital services - a snap for the user
Randomised encrypted key generation ndashno consistent key to be stolen
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
Dwell TimeResidency
Mandiant reported that attackers on average lurked on a network for 205 days before being discoveredsup1
Microsoft recently reported they place the number at more than 200 days to detect a security breach and 80 days to contain itsup2
1 httpswww2fireeyecomrsfireyeimagesrpt-m-trends-2015pdf2 httpsblogswindowscomwindowsexperience20160301announcing-windows-defender-advanced-threat-protection
Plausible Deniability amp Malware Intrusion
Plausible deniability refers to circumstances where a denial of responsibility or knowledge of wrong doing cannot be proved as true or untrue due to a lack of evidence proving the allegation
It is a basic law for the cheat and the deceiver Be able to offer up an excuse that cannot be disproved easily and that makes sense for the situation
Trickle-down Effects
Increasing rapidity of car-trickle-down yester-yearsrsquo top end car innovations eventually migrate through the models becoming standard options in lower-priced vehicles
This pattern of innovation holds true in virtually every field including cyber- security
Malware as a Service (MaaS) ndash moving from the heavily funded specialist cyber experts down into the mass market
MaaS now commonly available at very low cost through the darknet and sites such TOR I2p
Honeypots amp TokensEvolution Mimicry
Honeypots
Venus Flytrap in Action (triggered honeypot)
Trojan Horse (passive honeypot) Greeks built used to enter the city of Troy and win the 10 year Trojan war - 4th Century story
Cartography A trap street (passive honeypot) is a fictitious entry in the form of a misrepresented street for the purpose of trapping potential copyright violators
Tempting - moneypot
All minehelliphelliphellip
Ooops
Honeypot Principle
Focus on detecting threats Here wersquod like to know immediately someone has broken into the network
and in places they shouldnrsquot be
Ensure the honeypot looks appealing to the attacker The honeypot must look legitimate amp enticing
In this attack scenario the defender has particular advantage Once attackers initially land inside your internal network theyrsquore at a
disadvantage They donrsquot know the lay of the land and they need to explore it (reconnaissance) while remaining hidden
Defence through Deception
Deception is a highly effective solution for protecting environments used to confuse delay and redirect the enemy
Lured to the Canary Honeypot the attacker will be tricked into engaging with that device and believe they are being successful in their attack
Canary ndash Today and Tomorrow
Canary - great for remote sites but what about our VM data centres
What about integration with established enterprise monitoring frameworks such as Openview CA or Microsoft SCOM
Console management limit on the number of deployed Canaries
Are ldquoCanarytokensrdquo part of tomorrowrsquos planning
Identification amp Authorisation
A new way forward
TokensTokens - In general a token is an object that represents something else such as another object (either physical or virtual) or an abstract concept In computer systems there are a number of types of tokens both hardware and software
In human terms a token of trust can exist between two parties with such levels of trust reinforced through personal introductions with other partiesA token generation amp management platform designed specifically for high security multi-services in public and private clouds
greatly enhances trustworthy information handling
Identification with Passwords Any directory service or managementplatform holding passwords becomes atarget by the attacker for credentialsrsquo theft
Passwords are fundamentally flawed Often easy to guess Are reused across different services Are written down or stored or shared Can be intercepted Are expensive to maintain 29 of all cybercrime is from stolen
passwords
Identification WITHOUT Password
The Problem The password has outlived itrsquos usefulness
Secure Cloudlinkrsquos Response Patented and highly secure tokenised message management
solution assures password redundancy User credentials are not transmitted stored or replicated Secure digital services - a snap for the user
Randomised encrypted key generation ndashno consistent key to be stolen
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
Plausible Deniability amp Malware Intrusion
Plausible deniability refers to circumstances where a denial of responsibility or knowledge of wrong doing cannot be proved as true or untrue due to a lack of evidence proving the allegation
It is a basic law for the cheat and the deceiver Be able to offer up an excuse that cannot be disproved easily and that makes sense for the situation
Trickle-down Effects
Increasing rapidity of car-trickle-down yester-yearsrsquo top end car innovations eventually migrate through the models becoming standard options in lower-priced vehicles
This pattern of innovation holds true in virtually every field including cyber- security
Malware as a Service (MaaS) ndash moving from the heavily funded specialist cyber experts down into the mass market
MaaS now commonly available at very low cost through the darknet and sites such TOR I2p
Honeypots amp TokensEvolution Mimicry
Honeypots
Venus Flytrap in Action (triggered honeypot)
Trojan Horse (passive honeypot) Greeks built used to enter the city of Troy and win the 10 year Trojan war - 4th Century story
Cartography A trap street (passive honeypot) is a fictitious entry in the form of a misrepresented street for the purpose of trapping potential copyright violators
Tempting - moneypot
All minehelliphelliphellip
Ooops
Honeypot Principle
Focus on detecting threats Here wersquod like to know immediately someone has broken into the network
and in places they shouldnrsquot be
Ensure the honeypot looks appealing to the attacker The honeypot must look legitimate amp enticing
In this attack scenario the defender has particular advantage Once attackers initially land inside your internal network theyrsquore at a
disadvantage They donrsquot know the lay of the land and they need to explore it (reconnaissance) while remaining hidden
Defence through Deception
Deception is a highly effective solution for protecting environments used to confuse delay and redirect the enemy
Lured to the Canary Honeypot the attacker will be tricked into engaging with that device and believe they are being successful in their attack
Canary ndash Today and Tomorrow
Canary - great for remote sites but what about our VM data centres
What about integration with established enterprise monitoring frameworks such as Openview CA or Microsoft SCOM
Console management limit on the number of deployed Canaries
Are ldquoCanarytokensrdquo part of tomorrowrsquos planning
Identification amp Authorisation
A new way forward
TokensTokens - In general a token is an object that represents something else such as another object (either physical or virtual) or an abstract concept In computer systems there are a number of types of tokens both hardware and software
In human terms a token of trust can exist between two parties with such levels of trust reinforced through personal introductions with other partiesA token generation amp management platform designed specifically for high security multi-services in public and private clouds
greatly enhances trustworthy information handling
Identification with Passwords Any directory service or managementplatform holding passwords becomes atarget by the attacker for credentialsrsquo theft
Passwords are fundamentally flawed Often easy to guess Are reused across different services Are written down or stored or shared Can be intercepted Are expensive to maintain 29 of all cybercrime is from stolen
passwords
Identification WITHOUT Password
The Problem The password has outlived itrsquos usefulness
Secure Cloudlinkrsquos Response Patented and highly secure tokenised message management
solution assures password redundancy User credentials are not transmitted stored or replicated Secure digital services - a snap for the user
Randomised encrypted key generation ndashno consistent key to be stolen
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
Trickle-down Effects
Increasing rapidity of car-trickle-down yester-yearsrsquo top end car innovations eventually migrate through the models becoming standard options in lower-priced vehicles
This pattern of innovation holds true in virtually every field including cyber- security
Malware as a Service (MaaS) ndash moving from the heavily funded specialist cyber experts down into the mass market
MaaS now commonly available at very low cost through the darknet and sites such TOR I2p
Honeypots amp TokensEvolution Mimicry
Honeypots
Venus Flytrap in Action (triggered honeypot)
Trojan Horse (passive honeypot) Greeks built used to enter the city of Troy and win the 10 year Trojan war - 4th Century story
Cartography A trap street (passive honeypot) is a fictitious entry in the form of a misrepresented street for the purpose of trapping potential copyright violators
Tempting - moneypot
All minehelliphelliphellip
Ooops
Honeypot Principle
Focus on detecting threats Here wersquod like to know immediately someone has broken into the network
and in places they shouldnrsquot be
Ensure the honeypot looks appealing to the attacker The honeypot must look legitimate amp enticing
In this attack scenario the defender has particular advantage Once attackers initially land inside your internal network theyrsquore at a
disadvantage They donrsquot know the lay of the land and they need to explore it (reconnaissance) while remaining hidden
Defence through Deception
Deception is a highly effective solution for protecting environments used to confuse delay and redirect the enemy
Lured to the Canary Honeypot the attacker will be tricked into engaging with that device and believe they are being successful in their attack
Canary ndash Today and Tomorrow
Canary - great for remote sites but what about our VM data centres
What about integration with established enterprise monitoring frameworks such as Openview CA or Microsoft SCOM
Console management limit on the number of deployed Canaries
Are ldquoCanarytokensrdquo part of tomorrowrsquos planning
Identification amp Authorisation
A new way forward
TokensTokens - In general a token is an object that represents something else such as another object (either physical or virtual) or an abstract concept In computer systems there are a number of types of tokens both hardware and software
In human terms a token of trust can exist between two parties with such levels of trust reinforced through personal introductions with other partiesA token generation amp management platform designed specifically for high security multi-services in public and private clouds
greatly enhances trustworthy information handling
Identification with Passwords Any directory service or managementplatform holding passwords becomes atarget by the attacker for credentialsrsquo theft
Passwords are fundamentally flawed Often easy to guess Are reused across different services Are written down or stored or shared Can be intercepted Are expensive to maintain 29 of all cybercrime is from stolen
passwords
Identification WITHOUT Password
The Problem The password has outlived itrsquos usefulness
Secure Cloudlinkrsquos Response Patented and highly secure tokenised message management
solution assures password redundancy User credentials are not transmitted stored or replicated Secure digital services - a snap for the user
Randomised encrypted key generation ndashno consistent key to be stolen
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
Honeypots amp TokensEvolution Mimicry
Honeypots
Venus Flytrap in Action (triggered honeypot)
Trojan Horse (passive honeypot) Greeks built used to enter the city of Troy and win the 10 year Trojan war - 4th Century story
Cartography A trap street (passive honeypot) is a fictitious entry in the form of a misrepresented street for the purpose of trapping potential copyright violators
Tempting - moneypot
All minehelliphelliphellip
Ooops
Honeypot Principle
Focus on detecting threats Here wersquod like to know immediately someone has broken into the network
and in places they shouldnrsquot be
Ensure the honeypot looks appealing to the attacker The honeypot must look legitimate amp enticing
In this attack scenario the defender has particular advantage Once attackers initially land inside your internal network theyrsquore at a
disadvantage They donrsquot know the lay of the land and they need to explore it (reconnaissance) while remaining hidden
Defence through Deception
Deception is a highly effective solution for protecting environments used to confuse delay and redirect the enemy
Lured to the Canary Honeypot the attacker will be tricked into engaging with that device and believe they are being successful in their attack
Canary ndash Today and Tomorrow
Canary - great for remote sites but what about our VM data centres
What about integration with established enterprise monitoring frameworks such as Openview CA or Microsoft SCOM
Console management limit on the number of deployed Canaries
Are ldquoCanarytokensrdquo part of tomorrowrsquos planning
Identification amp Authorisation
A new way forward
TokensTokens - In general a token is an object that represents something else such as another object (either physical or virtual) or an abstract concept In computer systems there are a number of types of tokens both hardware and software
In human terms a token of trust can exist between two parties with such levels of trust reinforced through personal introductions with other partiesA token generation amp management platform designed specifically for high security multi-services in public and private clouds
greatly enhances trustworthy information handling
Identification with Passwords Any directory service or managementplatform holding passwords becomes atarget by the attacker for credentialsrsquo theft
Passwords are fundamentally flawed Often easy to guess Are reused across different services Are written down or stored or shared Can be intercepted Are expensive to maintain 29 of all cybercrime is from stolen
passwords
Identification WITHOUT Password
The Problem The password has outlived itrsquos usefulness
Secure Cloudlinkrsquos Response Patented and highly secure tokenised message management
solution assures password redundancy User credentials are not transmitted stored or replicated Secure digital services - a snap for the user
Randomised encrypted key generation ndashno consistent key to be stolen
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
Honeypots
Venus Flytrap in Action (triggered honeypot)
Trojan Horse (passive honeypot) Greeks built used to enter the city of Troy and win the 10 year Trojan war - 4th Century story
Cartography A trap street (passive honeypot) is a fictitious entry in the form of a misrepresented street for the purpose of trapping potential copyright violators
Tempting - moneypot
All minehelliphelliphellip
Ooops
Honeypot Principle
Focus on detecting threats Here wersquod like to know immediately someone has broken into the network
and in places they shouldnrsquot be
Ensure the honeypot looks appealing to the attacker The honeypot must look legitimate amp enticing
In this attack scenario the defender has particular advantage Once attackers initially land inside your internal network theyrsquore at a
disadvantage They donrsquot know the lay of the land and they need to explore it (reconnaissance) while remaining hidden
Defence through Deception
Deception is a highly effective solution for protecting environments used to confuse delay and redirect the enemy
Lured to the Canary Honeypot the attacker will be tricked into engaging with that device and believe they are being successful in their attack
Canary ndash Today and Tomorrow
Canary - great for remote sites but what about our VM data centres
What about integration with established enterprise monitoring frameworks such as Openview CA or Microsoft SCOM
Console management limit on the number of deployed Canaries
Are ldquoCanarytokensrdquo part of tomorrowrsquos planning
Identification amp Authorisation
A new way forward
TokensTokens - In general a token is an object that represents something else such as another object (either physical or virtual) or an abstract concept In computer systems there are a number of types of tokens both hardware and software
In human terms a token of trust can exist between two parties with such levels of trust reinforced through personal introductions with other partiesA token generation amp management platform designed specifically for high security multi-services in public and private clouds
greatly enhances trustworthy information handling
Identification with Passwords Any directory service or managementplatform holding passwords becomes atarget by the attacker for credentialsrsquo theft
Passwords are fundamentally flawed Often easy to guess Are reused across different services Are written down or stored or shared Can be intercepted Are expensive to maintain 29 of all cybercrime is from stolen
passwords
Identification WITHOUT Password
The Problem The password has outlived itrsquos usefulness
Secure Cloudlinkrsquos Response Patented and highly secure tokenised message management
solution assures password redundancy User credentials are not transmitted stored or replicated Secure digital services - a snap for the user
Randomised encrypted key generation ndashno consistent key to be stolen
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
Tempting - moneypot
All minehelliphelliphellip
Ooops
Honeypot Principle
Focus on detecting threats Here wersquod like to know immediately someone has broken into the network
and in places they shouldnrsquot be
Ensure the honeypot looks appealing to the attacker The honeypot must look legitimate amp enticing
In this attack scenario the defender has particular advantage Once attackers initially land inside your internal network theyrsquore at a
disadvantage They donrsquot know the lay of the land and they need to explore it (reconnaissance) while remaining hidden
Defence through Deception
Deception is a highly effective solution for protecting environments used to confuse delay and redirect the enemy
Lured to the Canary Honeypot the attacker will be tricked into engaging with that device and believe they are being successful in their attack
Canary ndash Today and Tomorrow
Canary - great for remote sites but what about our VM data centres
What about integration with established enterprise monitoring frameworks such as Openview CA or Microsoft SCOM
Console management limit on the number of deployed Canaries
Are ldquoCanarytokensrdquo part of tomorrowrsquos planning
Identification amp Authorisation
A new way forward
TokensTokens - In general a token is an object that represents something else such as another object (either physical or virtual) or an abstract concept In computer systems there are a number of types of tokens both hardware and software
In human terms a token of trust can exist between two parties with such levels of trust reinforced through personal introductions with other partiesA token generation amp management platform designed specifically for high security multi-services in public and private clouds
greatly enhances trustworthy information handling
Identification with Passwords Any directory service or managementplatform holding passwords becomes atarget by the attacker for credentialsrsquo theft
Passwords are fundamentally flawed Often easy to guess Are reused across different services Are written down or stored or shared Can be intercepted Are expensive to maintain 29 of all cybercrime is from stolen
passwords
Identification WITHOUT Password
The Problem The password has outlived itrsquos usefulness
Secure Cloudlinkrsquos Response Patented and highly secure tokenised message management
solution assures password redundancy User credentials are not transmitted stored or replicated Secure digital services - a snap for the user
Randomised encrypted key generation ndashno consistent key to be stolen
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
Honeypot Principle
Focus on detecting threats Here wersquod like to know immediately someone has broken into the network
and in places they shouldnrsquot be
Ensure the honeypot looks appealing to the attacker The honeypot must look legitimate amp enticing
In this attack scenario the defender has particular advantage Once attackers initially land inside your internal network theyrsquore at a
disadvantage They donrsquot know the lay of the land and they need to explore it (reconnaissance) while remaining hidden
Defence through Deception
Deception is a highly effective solution for protecting environments used to confuse delay and redirect the enemy
Lured to the Canary Honeypot the attacker will be tricked into engaging with that device and believe they are being successful in their attack
Canary ndash Today and Tomorrow
Canary - great for remote sites but what about our VM data centres
What about integration with established enterprise monitoring frameworks such as Openview CA or Microsoft SCOM
Console management limit on the number of deployed Canaries
Are ldquoCanarytokensrdquo part of tomorrowrsquos planning
Identification amp Authorisation
A new way forward
TokensTokens - In general a token is an object that represents something else such as another object (either physical or virtual) or an abstract concept In computer systems there are a number of types of tokens both hardware and software
In human terms a token of trust can exist between two parties with such levels of trust reinforced through personal introductions with other partiesA token generation amp management platform designed specifically for high security multi-services in public and private clouds
greatly enhances trustworthy information handling
Identification with Passwords Any directory service or managementplatform holding passwords becomes atarget by the attacker for credentialsrsquo theft
Passwords are fundamentally flawed Often easy to guess Are reused across different services Are written down or stored or shared Can be intercepted Are expensive to maintain 29 of all cybercrime is from stolen
passwords
Identification WITHOUT Password
The Problem The password has outlived itrsquos usefulness
Secure Cloudlinkrsquos Response Patented and highly secure tokenised message management
solution assures password redundancy User credentials are not transmitted stored or replicated Secure digital services - a snap for the user
Randomised encrypted key generation ndashno consistent key to be stolen
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
Defence through Deception
Deception is a highly effective solution for protecting environments used to confuse delay and redirect the enemy
Lured to the Canary Honeypot the attacker will be tricked into engaging with that device and believe they are being successful in their attack
Canary ndash Today and Tomorrow
Canary - great for remote sites but what about our VM data centres
What about integration with established enterprise monitoring frameworks such as Openview CA or Microsoft SCOM
Console management limit on the number of deployed Canaries
Are ldquoCanarytokensrdquo part of tomorrowrsquos planning
Identification amp Authorisation
A new way forward
TokensTokens - In general a token is an object that represents something else such as another object (either physical or virtual) or an abstract concept In computer systems there are a number of types of tokens both hardware and software
In human terms a token of trust can exist between two parties with such levels of trust reinforced through personal introductions with other partiesA token generation amp management platform designed specifically for high security multi-services in public and private clouds
greatly enhances trustworthy information handling
Identification with Passwords Any directory service or managementplatform holding passwords becomes atarget by the attacker for credentialsrsquo theft
Passwords are fundamentally flawed Often easy to guess Are reused across different services Are written down or stored or shared Can be intercepted Are expensive to maintain 29 of all cybercrime is from stolen
passwords
Identification WITHOUT Password
The Problem The password has outlived itrsquos usefulness
Secure Cloudlinkrsquos Response Patented and highly secure tokenised message management
solution assures password redundancy User credentials are not transmitted stored or replicated Secure digital services - a snap for the user
Randomised encrypted key generation ndashno consistent key to be stolen
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
Canary ndash Today and Tomorrow
Canary - great for remote sites but what about our VM data centres
What about integration with established enterprise monitoring frameworks such as Openview CA or Microsoft SCOM
Console management limit on the number of deployed Canaries
Are ldquoCanarytokensrdquo part of tomorrowrsquos planning
Identification amp Authorisation
A new way forward
TokensTokens - In general a token is an object that represents something else such as another object (either physical or virtual) or an abstract concept In computer systems there are a number of types of tokens both hardware and software
In human terms a token of trust can exist between two parties with such levels of trust reinforced through personal introductions with other partiesA token generation amp management platform designed specifically for high security multi-services in public and private clouds
greatly enhances trustworthy information handling
Identification with Passwords Any directory service or managementplatform holding passwords becomes atarget by the attacker for credentialsrsquo theft
Passwords are fundamentally flawed Often easy to guess Are reused across different services Are written down or stored or shared Can be intercepted Are expensive to maintain 29 of all cybercrime is from stolen
passwords
Identification WITHOUT Password
The Problem The password has outlived itrsquos usefulness
Secure Cloudlinkrsquos Response Patented and highly secure tokenised message management
solution assures password redundancy User credentials are not transmitted stored or replicated Secure digital services - a snap for the user
Randomised encrypted key generation ndashno consistent key to be stolen
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
Identification amp Authorisation
A new way forward
TokensTokens - In general a token is an object that represents something else such as another object (either physical or virtual) or an abstract concept In computer systems there are a number of types of tokens both hardware and software
In human terms a token of trust can exist between two parties with such levels of trust reinforced through personal introductions with other partiesA token generation amp management platform designed specifically for high security multi-services in public and private clouds
greatly enhances trustworthy information handling
Identification with Passwords Any directory service or managementplatform holding passwords becomes atarget by the attacker for credentialsrsquo theft
Passwords are fundamentally flawed Often easy to guess Are reused across different services Are written down or stored or shared Can be intercepted Are expensive to maintain 29 of all cybercrime is from stolen
passwords
Identification WITHOUT Password
The Problem The password has outlived itrsquos usefulness
Secure Cloudlinkrsquos Response Patented and highly secure tokenised message management
solution assures password redundancy User credentials are not transmitted stored or replicated Secure digital services - a snap for the user
Randomised encrypted key generation ndashno consistent key to be stolen
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
TokensTokens - In general a token is an object that represents something else such as another object (either physical or virtual) or an abstract concept In computer systems there are a number of types of tokens both hardware and software
In human terms a token of trust can exist between two parties with such levels of trust reinforced through personal introductions with other partiesA token generation amp management platform designed specifically for high security multi-services in public and private clouds
greatly enhances trustworthy information handling
Identification with Passwords Any directory service or managementplatform holding passwords becomes atarget by the attacker for credentialsrsquo theft
Passwords are fundamentally flawed Often easy to guess Are reused across different services Are written down or stored or shared Can be intercepted Are expensive to maintain 29 of all cybercrime is from stolen
passwords
Identification WITHOUT Password
The Problem The password has outlived itrsquos usefulness
Secure Cloudlinkrsquos Response Patented and highly secure tokenised message management
solution assures password redundancy User credentials are not transmitted stored or replicated Secure digital services - a snap for the user
Randomised encrypted key generation ndashno consistent key to be stolen
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
Identification with Passwords Any directory service or managementplatform holding passwords becomes atarget by the attacker for credentialsrsquo theft
Passwords are fundamentally flawed Often easy to guess Are reused across different services Are written down or stored or shared Can be intercepted Are expensive to maintain 29 of all cybercrime is from stolen
passwords
Identification WITHOUT Password
The Problem The password has outlived itrsquos usefulness
Secure Cloudlinkrsquos Response Patented and highly secure tokenised message management
solution assures password redundancy User credentials are not transmitted stored or replicated Secure digital services - a snap for the user
Randomised encrypted key generation ndashno consistent key to be stolen
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
Identification WITHOUT Password
The Problem The password has outlived itrsquos usefulness
Secure Cloudlinkrsquos Response Patented and highly secure tokenised message management
solution assures password redundancy User credentials are not transmitted stored or replicated Secure digital services - a snap for the user
Randomised encrypted key generation ndashno consistent key to be stolen
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
ConclusionPossible quick-wins
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
Immediate Low-risk ConsiderationsPeople protection Continuous inter-active education on the threats amp risks posed by cyber-criminals through the deployment of Phish5 email phishing simulations with supporting education processes
Network hardening Rapid deployment of customisable low-cost capex-free Canary honeypots throughout the strategic points on the network
Access amp authorisation protection Review and assess the usage amp costs (directindirect) of passwords in your own organisation ndash test the results against Secure Cloudlink
Information handling assurance Regular external expert assessment amp audit of network data governance practices and procedures
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
Security Through Obscurity
Warfare - The Social Threat
Attack Surface Attribution Residency Deniability -Livingroom to Boardroom
Honeypots amp Tokens ndash Evolution Mimicked
Identification and Authorisation ndash New Pathway
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
Thank you
Trust in ldquoTHISrdquo
Security through ObscurityRay Dalgarno
raycybercastco
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
New and evolving forms of malwareMark Olding Senior Enterprise Presales Consultant Kaspersky Labs
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
The what how who and why of computer malware
Mark OldingSenior Enterprise Presales Consultant
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
THE SCALE OF THE THREAT
1NEW VIRUS EVERY HOUR
19941NEW VIRUS EVERY MINUTE
20061NEW VIRUS EVERY SECOND
2011310000NEW SAMPLES EVERY DAY
2016
THE SCALE OF THE THREAT
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
90
99
01
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF THE THREAT
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
TRENDS AND THREATS
Internet of ThingsBig Data Fragmentation of the internet
Cloud amp Virtualization Consumerisation amp Mobility
Critical Infrastructure at risk
Increasing online commerce
Privacy amp Data protection challenge
Online banking at risk
Mobile threatsDecreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of ThingsTargeting hotel networks
Ransomware programs
Cyber mercenaries Massive data leaks
Malware for ATMs
Financial phishing attacksAttacks on
PoS terminals
Threats to Smart CitieslsquoWipersrsquo amp Cyber - sabotage
Targeted Attacks
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
HOW MALWARE SPREADS
USB sticks
Email Exploit kits
Social Networks
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
BrowsersAn-droi-dOS
VULNERBILITIES AND EXPLOITS
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
WEB-BASED THREATS
Kaspersky Lab discovered 798113087 web attacks in 2015
25 attacks per second1518 attacks per minute
21 million attacks per day 91000 attacks per hour
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
DRIVE-BY DOWNLOADS
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
June
201
5
SOCIAL MEDIA
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
June
201
5
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
REMOVABLE DRIVES
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
June
201
5
DIGITAL CERTIFICATES
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
CONSUMER THREATS IN 2015
Nov-14
Jan-15
Mar-15
May-15
Jul-15
Sep-15
050000
100000150000200000250000300000350000400000450000
Users
Users
2 MILLION ATTEMPTS
In 2015 Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via on-line banking on almost 2 million computers
This number is 28 higher than in 2014
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
June
201
5
Ransomware
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
June
20
15
BLOCKERS
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
CRYPTORS
June
20
15
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
Stuxnet
Advanced Persistent Threats
Duqu
Gauss
Flame
MiniFlame
Kimsuky
NetTraveler
Winnti
Icefog
RedOctober
Miniduke
TeamSpy
Energetis BearCrouching Yeti
Epic Turla
CaretoThe Mask
Regin
CosmicDuke
Darkhotel
Spring Dragon
Satellite Turla
MsnMM Campaigns
Darkhotel Part 2
Animal Farm
Equation
Desert Falcons
Carbanak
Sofacy
Hellsing
Naikon
Duqu 20
Blue Termite
Wild Neutron
We discover and dissect the worlds most sophisticated malware
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infectedIn search of admin PC
Admin
REC
CASH TRANSFERSYSTEMS
1 Infection 2 Harvesting IntelligenceIntercepting the clerkrsquos screen
3 Mimicking the staffHow the money was stolen
Online ndash BankingMoney was transferred to the
fraudsters accounts
E- Payment SystemsMoney was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Inflated account balancesThe extra funds were pocketed via a
fraudulent transaction
Controlling ATMSOrders to dispense cash at a pre-
determined time
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
MAC MALWARE
In 2012 the flashback botnet was discovers consisting of 700000 computers all running under MAC OSX
Cybercriminals repeatedly use MAC malware when launching targeted attacks
MACs can unknowingly pass PC malware onto PCs in your network
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
MAC MALWARE
20032005
20072009
20112013
20150
5000
10000
15000
20000
25000
30000
Malware
Malware
Since 2012 the proportion of adware on OSX has increased fivefold
Kaspersky Lab recorded almost 6 million unique attacks on MAC devices in 2015
x5
There are more then 24000 sample of malicious OSX files in Kaspersky Labrsquos collection
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
MOBILE MALWARE
Q1 2011
Q3 2011
Q1 2012
Q3 2012
Q1 2013
Q3 2013
Q1 2014
Q3 2014
Q1 2015
Q3 20150
200000400000600000800000
1000000120000014000001600000
Malware
Malware
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
MOBILE MALWARESales
Adware RiskTool Trojan-SMS
Trojan Trojan-Spy Backdoor
Trojan-Down-loader
Trojan-Banker
Trojan-Ransom
Monitor Other
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
bull Evaluate the risksbull Patch OS and applicationsbull Mange your networkbull Secure your systems
Multi-layered protection Not just endpoints Default-Deny Encrypt Donrsquot forget mobile
bull Educate staff
RIGHT NOW
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
bull Stop fire fighting Create a strategy
bull Itrsquos bigger than ITbull Delegate to experts
Assessment Incident response Analysis
TOMORROW
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
bull lsquoThe end of APTsrsquobull Alternative payment systems and stock exchangebull Sabotage extortion and shamebull Ransomwarebull Trusted resourcesbull From lsquoAPT-as-a-Servicersquo to lsquoAccess-as-a-servicersquobull Balkanisationbull Transportationbull lsquoCrypto-apocalypse
FUTURE PROSPECTS
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
THANK YOU
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
Closing keynote addressVicki Gavin Compliance Director Head of Business Continuity amp Information SecurityThe Economist Group
Thank you
Thank you