20120208 Strategical approach to tacle cybercrime & the botnet threat
-
Upload
luc-beirens -
Category
Business
-
view
1.700 -
download
0
description
Transcript of 20120208 Strategical approach to tacle cybercrime & the botnet threat
How to prevent a disaster in cyberspace ? The need for an international approach to undermine the criminal cyber architecture
© 2012 Luc Beirens – Federal Computer Crime Unit - Belgian Federal Judicial Police – Direction economical and financial crime
Berlin, 8 february 2012 Combating Cybercrime in Europe – fighting botnets Optimised Tools for Investigation and Law Enforcement
Presentation
@LucBeirens Chief Commissioner Head of the Federal Computer Crime Unit Belgian Federal Judicial Police Direction Economical and financial crime
Chairman of the EU Cybercrime task force
representing the organization of heads of national hightech crime units of the EU
Topics - overview
General trends today
Cyber crimes and cyber criminals today
What hinders the combat today ?
A proposal for an integrated response
Belgian experiences
General trends today
Evolution towards e-society
replace persons by e-applications
Interconnecting all systems (admin, industrial, control)
IP is common platform offered by many ISPs integrating telephony / data / VPN & all new apps =opportunities / Achilles tendon / scattered traces
Poor security in legacy applications and protocols (userid+pw)=> identity fraud is easy
Enduser is not yet educated to act properly
What do criminals want ?
Become rich / powerfull rapidly, easily, very big ROI in an illegal way if needed
Destabilaze (e-)society by causing troubles
How : cyber crimes today
e-fraud => give money to the criminals
spam => start for eFrauds / MW distrib
hacking =>
change content of your website (defacing)
transfer money from the hacked system
espionnage => know your victim
use of hacked system => storage / spam / proxy / DNS / CC / DDOS
DDOS distributed denial of service attacks
How to combat cyber criminals ?
Analyse their methods and tools
Webserver / node
Internet
Command & Control Server
Hacker
Access line blocked
Computer Crash
Botnet attack on a webserver / node
My IP is x.y.z.z
Info
Cmd
Interesting DDOS
2004 UK : gambling website down (+ hoster + ISP)
2005 Netherlands : 2 botnets : millions of zombies
2005 Belgium : Commercial firm during social conflict
2006 Sweden : Gov websites after police raid on P2P
2007 Estonia : political inspired widespread DDOS attack
2008 Georgia : cyber war during military conflict
2010 Worldwide : Wikileaks cyberconflict
2011 – 2012 : Anonymous attacks on Gov sites
What are botnets used for ? Getting data & making money !
Sometimes still for fun (scriptkiddies)
Spam distribution via Zombie
Click generation on banner publicity
Dialer installation on zombie to make premium rate calls
Spyware / malware / ransomware installation
Espionage : banking details / passwords / keylogging
Transactions via zombie PC
Capacity for distributed denial of service attacks DDOS => disturb functioning of internet device (server/router)
Webserver / node
Internet
Command & Control Server
Hacker
Malware update / knowledge transfer
Knowledge server
Malware update server
MW update
Very frequent MW update request
trigger event
Cyber criminal’s toolbox
malware => trojan horses
distribution via mail, p2p, social networks, websites
auto-update & auto-propagation in network
very high rate of new versions
remote control of infected systems => botnets
creation of knowledge databases
collected & keylogged info of infected pc
keyservers in safe haven countries
But the criminal cyber architecture also includes ...
Underground fora and chatrooms
Botnets for hire
Malware on demand / off the shelf packages
Trade stolen Credit cards / credentials
Money laundering services
Organized Cyber criminals
take over / set up ISP’s
infiltrate in development firms
And the victims ?
Who ?
Communication networks and service providers
Companies especially transactional websites
Every internet user
Reaction
Unaware of incidents going on => dark number
Victims try to solve it themselves
Nearly no complaints made => dark number
Result ? The hackers go on developing botnets
Risks
Economical disaster
Large scale : critical infrastructure
Small scale : enterprise
Individual & corporate (secret) data
Loss of trust in e-society
Combined threat
What if abused by terrorists ? Cyber army ? ... simultaniously with a real world attack?
How will you handle the crisis ? Your telephone system is not working !
Intermediate conclusions
Society is very dependant of ICT
eSociety is very vulnerable for attacks
Urgent need to reduce risks on critical ICT
Botnets as criminal cyber infrastructure is common platform for lots of cybercrimes => undermine it and you reduce crime
Traditional way of law enforcement to tackle cybercrime
Reactive
Register complaint => judicial case
Hotlines (or cooperation with)
(Eventualy) undercover operations
Proactive (?)
Who is doing what, where and how ?
Patrolling the net
Effective (?) but not undermining cybercriminals
What hinders an effective combat of cyber crime ?
Unawareness and negligence end user
Lack of overall view on risks / incidents by
Enterprise managers
Political decision makers
Combating : everyone on his own
Lack of specialized investigators
Jurisdictions limited by national borders
Subscriber identity fraud
Mobility of the (criminal) services in cloud
What actions are needed ?
Everyone plays a role in e-security
We have to do it as partners
We have to do it in an integrated way
Goals for operational cybercrime action plan
As “society” (= gov & private sector) improve detection and get a view and act on
criminal cyberinfrastructure especially botnets
incidents threatening eSociety
Strengthen robustness of ICT eSociety
ISP’s / Enterprises / End users
Weaken and dismantle the criminal cyberinfrastructure
Each partner within his role & competence
Webserver / node
Internet
Botnetservers CC, Knowledge, MW
Hacker
Actions against botnet architecture
Preserve evidence
Report incident
Identify critical infrastructure
Alarm procedures
Prevent infection & MW autopropagation
Detect infections & desinfect
Stop activity
Bring to court
Preserve evidence
Analyse to identify hacker & zombies
Take out of order
Role of governments & international organizations
Working according a strategy
Develop international plans & reaction schemes for critical ICT infrastructure protection
Develop legal framework
Obligation to report cybercrime incidents
Obligation to secure your computersystem (?)
Possibility for ISP to cut off infected machines (?)
Obligation to respond to requests of Gov authority when serious incidents happen
Telecommunications sector
Prevent / reduce SPAM
Have to make there infrastructure robust
Report serious incidents to CERT
Integrated reaction with authorities
Implement strong authentication in internet protocols and services
Detect negligent end users & react/help/cut off
Enterprises
E-Security = business risk => management responsibility
Think about how to survive when e-systems are under attack
Enforce detection of incidents – IDS ?
Report incidents to CERT ? to police ?
Integrate strong authentication in e-business applications
Developers
Strong authentication
Use the strongest available but ...
Think as a hacker How can a transaction on an infected PC be intercepted ?
Store IP-addresses and timestamps
of the end user ! not of the router !
Needed in case of an incident !
Responsibilization of end user
Awareness raising => media
Training on e-security & attitude
already at school
in the enterprises
Obligation to secure his PC properly ?
Role of police and justice ?
Gather intelligence about Botnets
Dismantle botnet servers in your country
Analyse Botnet-servers to find traces to criminals
Focus on knowledge servers & CC servers
EU Council strategy : COSI priorities and OAP ?
Standing Committee on Operational Cooperation on Internal Security (COSI)
EU Council body based on Lisbon Treaty (Art 71 TFEU)
High-level representatives of MS Min Interior and EC
Tasks
to facilitate and ensure effective operational cooperation and coordination in the field of EU internal security
to evaluate the general direction and efficiency of operational cooperation
to assist the Council in reacting to terrorist attacks or natural or man-made disasters (solidarity clause of Art 222 TFEU).
Overview COSI strategic goals and operational action plans cybercrime
30
Harmony : the COSI policy & implementation cycle
Normally : 4 year cycle except first cycle : 2 year
Policy
Create view on security risks and crime phenomenae
Determine priority domains (Cybercrime is prio 8)
Determine strategic goals 4 (2) year
Determine operational action plans OAP 1 year
1 Driver to follow up Cybercrime domain
1 or 2 leaders for each OAP
7 strategic goals
31
COSI Strategy goals
1. Common legal standard (adapted)
2. User identification by Internet Governance
3. Enhance Police & Justice cyber capabilities
4. Establish European Cybercrime Center
5. Strategy to disrupt crim ict infra esp. botnet
6. PPP for prevention and detection
7. Reporting systems in each MS
Strategic Goal 4
Overview COSI strategic goals and operational action plans cybercrime
33
To establish the European Cybercrime Centre (ECC) to become the focal point in the fight against cybercrime in the Union contributing to faster reactions in the event of cyber attacks
European Cybercrime centre
Place, role, tasks, organization still not clear
Study by Rand Europe => decision 1st half 2012
At Europol ?
Improve law enforcement efforts tackling cybercrime
Tasks
Intelligence focal point : monitoring, detection, collection, analysis, alerting, information => core AWF Cyborg ?
Develop a high level forensic capability
Liaise with MS LEA, industry and internet governance
R&D Develop good practices for prevention and PPP 34
Strategic Goal 5
35
To establish and implement a common Union approach to disrupt and dismantle the criminal infrastructure in cyberspace, especially botnets
International Botnet actions
Problems with it ?
Belgian experience
1 national FCCU +25 Regional CCU=175 officers (computer forensics & cybercrime combat)
2 specialized Federal prosecutors minimum 1 ICT reference prosecutor / district
FCCU analyses attacks on critical ICT infra
BelNIS Gov Network information security
Develops and organizes ICT security strategy
Problem : no central authority
Since 2009 : Cert.be for Gov and Critical infra
Belgian experience
eBanking fraud => start of Malware analysis
Gain insight in how it’s working
Leads to detection of botnet-servers / bogus ISP’s
Combined team cybercrime & financial investigators
Building trust with law enforcement with other countries
Collaboration with several partners and organizations => Information send to & analysed by Cert.be
Effective in dismantling of Botnet-servers (70 since ‘09)
Impact of 1 Malware distribution server ? Analysis shows
2 months 1,5 million downloads, 300.000 unique IP’s
Problems
Botnet-servers often on victim’s servers
But is it really a victim ?
No knowledge-servers in BE
Language problem during analysis CC-server
Is it the role of the police / Cert ?
If Cert does it (eg Finland)
=> fast but do we go after criminals afterwards ?
Which incidents are severe enough to report to police ?
If police does it
Which botnet-servers do we analyse ?
Malware analysis => help from AV-industry ?
Do we really have an impact ?
Several hundreds of botnets
5.000 – 10.000 botnet servers world wide
Millions of infected end users => need for action in every country
Contact information
Federal Judicial Police Direction for Economical and Financial crime
Federal Computer Crime Unit Notelaarstraat 211 - 1000 Brussels – Belgium
Tel office : +32 2 743 74 74 Fax : +32 2 743 74 19
E-mail : [email protected] Twitter : @LucBeirens Blog : LucBeirens.blogspot.com