Modern AdversariesWhy modern hackers are winning the battle and how we can still win the war

Andy Manoske, Principal

Who is Amplify Partners?

We are an early stage, entrepreneur-focused venture capital firm investing in technical teams solving technical problems

@AmplifyPartnerswww.amplifypartners.com

About the Author

Andy Manoske

Product @ AlienVault (Open Threat Exchange, AlienVault Labs Research)

Product @ NetApp(Product Security, Cryptography)

Principal, Amplify Partners

Economics & Computer Science @ SJSU(Mathematic Economics, Information Security)

@a2d2

Cyberattack Reports to US-CERT by Year

0

17500

35000

52500

70000

2006 2007 2008 2009 2010 2011 2012 2013 2014

Successful cyberattacks are on the rise…

Source: US CERT

…because we are facing more sophisticated

attackers

Source: Verizon DBIR 2014

The modern hacker is an advanced adversary…

but not necessarily because it’s better than previous generations of attackers.

(Sorry, Neo)

Instead, modern hacking tools are more advanced and more available than ever before

Source: Axiomatic Design/Design Patterns Mashup: Part 2 (Cyber Security)

These tools make even novice modern hackers….

…incredibly dangerous

Modern adversaries are able to strike highly defended targets

because hacking tools have advanced faster than security systems that detect and stop attacks

Anthem was well defended

200 person Information Security Staff

$50 Millionspent on security per year

Source: Indianapolis Business Journal

But they were not prepared for their adversary’s complex attack

>12 Months Access to sensitive user data

80 MillionRecords stolen

Source: Crowdstrike, NYT

To build new security systems that can defend against complex attacks

We need to build software that can detect, and stop, modern tools used by modern adversaries

Who are Modern Adversaries?

The modern hacker is frequently a professional

…who attacks private businessesfor financial gain

Source: Hackmageddon

Most modern attacks target companies to steal valuable data:

Source: Hackmageddon

most frequently financial data or intellectual property.

Hackers then sell this stolen data on the black market

and that data is used increasingly to commit identity theft, espionage, and possibly even acts of terrorism.

Reported PII theft and fraud, 2006-2014

Not every cyberattack is focused on profit.

Defacing or destroying online property remains a key objective for many advanced adversaries

Reported PII theft and fraud, 2006-2014There are typically three types of modern adversary

State SponsoredHackers

Organized Crime Hacktivists

Reported PII theft and fraud, 2006-2014State Sponsored Adversary: Energetic Bear / Dragonfly

Russian hacking group either supported or directly managed by Russian state intelligence

● Unpublicized attack on petroleum pipeline operator to steal energy infrastructure information

● Unpublicized Industrial Control System (ICS) sabotage of EU-based energy management operator to cause future attacks and outages

Reported PII theft and fraud, 2006-2014

Organized Crime Adversary: Solntsevskaya Bratva

Largest crime syndicate of the Russian mob heavily involved in cybercrime, with >$3B in annual revenue from hacking

● 2014 JP Morgan Chase data breach targeting wealth management and credit card user data

● 2008 cyberattacks to spread disinformation on Georgian government websites during Russia’s invasion of South Ossetia

Reported PII theft and fraud, 2006-2014Hacktivist Adversary: AntiSec

Anarchist campaign of former members of hacking group Lulzsec and members of the Anonymous community.

● 2014 data breach of the US International Association of Chiefs of Police to leak personnel data in response to investigations on Occupy Wall Street protestors.

● 2011 compromise of Fox News’ Twitter account to spread fake story that President Obama had been injured in a Terrorist bombing.

Most attacks are being perpetrated by organized crime hackers and hacktivists

Source: Hackmageddon

Attacker Sophistication

Attacker Resources

Hacktivists

Organized Crime

State Sponsored Hacking

Which means most attacks are from less individually sophisticated adversaries…

…who employ less sophisticated attacks…

…reliant upon pre-made tools and malware

To confront the majority of attacks from advanced adversaries

We must detect and stop modern hacking tools

Unfortunately, modern hacking tools and malware are good at evading detection

EncryptionModern malware is frequently encrypted to defeatsignature-based intrusion detection systems

BotnetsModern hacking tools and malware hide behind legions of slaved “zombie” computers

But while botnets and encryption may hide most tools and malware

The command and control (or “C2”) structure behind those tools generally

remains the sameSource: Cisco

Source: AlienVault

Example: Attackers who struck the US Office of Personnel Management (OPM)

used the same C2 server…

…that was used to attack

as well as several US companies in…

Defense Aviation

Oil and GasInfrastructure

Source: AlienVault, Symantec

There is a lot of things the security industry can do to confront modern threats…

…but if we want to stop most attacks from advanced adversaries we need to build software that

SHARES DATA ON ATTACKERSAutomatically shares analysis data to open-source platforms to be used in security defenses

PERFORMS DYNAMIC ANALYSISIntrospects incoming files and traffic forpossible C2 infrastructure

TL;DRA new generation of modern adversaries is driving a hacking boom

This generation has access to powerful, easy to use hacking tools

If we do not rethink our approach and update our security systems, the advantage enjoyed by modern adversaries will continue to grow