The cyber criminal community has evolved from pranksters, lone wolves, and organized
gangs to nation-states and hacktivist groups whose primary results have been increased
costs and lost productivity. As enterprises and governments connect literally everything to
the Internet, the size of their attack surface has grown, opening more opportunities for
cyber criminals. Many of their current exploits are going unnoticed.
3. As enterprises and governments connect literally everything to the Internet, the size of
their attack surface has grown, opening more opportunities for cyber criminals. Many of
their current exploits are going unnoticed.
AwarenessVisibilityDetection
+
+
–
– Ability to Respond
Keys &
Certificates
IAM
IDS
Firewall
A/V
VPN
DLP
IPS
MDM
4. 1997
2004
2007
2010
2013
Viruses &
Worms
For-Profit
Malware
APTs
Key & Certificate-Based Attacks
• Code Signing Certificates
• SSH Key Theft
• Server Key Theft
• Weak Crypto Exploits
The Evolving Cyberattack Landscape
The cyber criminal community has evolved from pranksters, lone wolves, and organized
gangs to nation-states and hacktivist groups whose primary results have been increased
costs and lost productivity.
5. DAMAGE LEVEL: DISRUPTION
VIRUSES, WORMS & DDoS
CIH COMPUTER VIRUS
The virus infected over 60 million computers worldwide, causing an
estimated billion dollars in damage. Launched by a university student in
Taiwan, Chen Ing-hau claimed to have created the virus to challenge the
bold claims of the antivirus community.
1998
DAMAGELEVEL:DISRUPTIONDAMAGELEVEL:DISRUPTION
6. This worm drove a DDoS for multiple Internet hosts and dramatically
slowed down Internet traffic. The worm, based on a proof-of-concept
code demonstrated at Black Hat by David Litchfield, infected
75,000 victims in the first 10 minutes of its release by exploiting a
vulnerability that allowed it to generate random IP addresses and
send itself out to them.
SLAMMER WORM
VIRUSES, WORMS & DDoS
DAMAGE LEVEL: DISRUPTION
DISTRIBUTED DENIAL OF SERVICE
The first distributed-denial-of-service (DDoS) attacks ever recorded
targeted the Mexican government and the Pentagon.
1998
2003
DAMAGELEVEL:DISRUPTIONDAMAGELEVEL:DISRUPTIONDAMAGELEVEL:DISRUPTION
7. DAMAGELEVEL:CYBERCRIME
DAMAGE LEVEL: CYBERCRIME
FOR-PROFIT MALWARE
MYDOOM
Mydoom spread via spam. Mydoom stole email addresses to
further proliferate, and then added a backdoor to victims’ machines
to be used for further practices like a remote proxy for DDOS
whereby victims’ machines would be part of a botnet.
SPAM SPAM
SPAM
SPAM
SPAM
2004
8. FAKEWARE/SCAMWARE
A popup message warns users that their machines may
be infected, and that they should download and install
fake Antivirus or spyware. Instead, this is a hoax to fool
the user into installing malicious code.
UPDATE
ANTIVIRUS!
FOR-PROFIT MALWARE
DAMAGE LEVEL: CYBERCRIME
2005
DAMAGELEVEL:CYBERCRIME
9. DAMAGELEVEL:CYBERESPIONAGE
DAMAGE LEVEL: CYBER ESPIONAGE
APTs
ZEUS TROJAN
This is one of the first examples of an attack that takes advantage
of technologies used to ensure trusted digital communications.
This Trojan steals banking information by using
man-in-the-browser keystroke logging and form-grabbing
methods to steal credentials. Zeus stole information from the U.S.
Department of Transportation and is now believed to have infected
over 74,000 websites including BankOfAmerica.com,
NASA.gov, ABC.com and Amazon.com.
T O
N
R
A J
BANK
2007
10. APTs
DAMAGE LEVEL: CYBER ESPIONAGE
DAMAGELEVEL:CYBERESPIONAGE
Targeting the Microsoft Windows operating system, Conficker used flaws
in Windows software and dictionary attacks on administrator
passwords to propagate while forming a botnet, and has been unusually
difficult to counter because of its combined use of many advanced
malware techniques.
The Conficker infected millions of
computers including government,
business and home computers in
over 200 countries. It was also the
same year MD5 was discovered to
be exploitable.
Government Home & Business
CONFICKER2008
11. DAMAGELEVEL:WORLDWITHOUTTRUST
DAMAGE LEVEL: WORLD WITHOUT TRUST
Code Signing Certificates, SSH Key Theft,
Server Key Theft & Weak Crypto Exploits
Discovered in June 2010, this malware – reported to have been created
by the United States and Israel to attack Iran's nuclear facilities –
was the first cyber attack recognized as being made possible by
compromised digital certificates.
Stuxnet leveraged unprecedented and
advanced sophistication, zero-day exploits
and a network of insiders to install itself
in Windows systems used to manage
industrial control systems. Stuxnet
remained undetected on the network for
months, using a compromised digital
certificate to validate it. Its payload left
behind a trail of physical destruction.
ACCESS
GRANTED
STUXNET2010
12. Code Signing Certificates, SSH Key Theft,
Server Key Theft & Weak Crypto Exploits
DAMAGE LEVEL: WORLD WITHOUT TRUST
DAMAGELEVEL:WORLDWITHOUTTRUSTTRUSTDAMAGELEVEL:WORLDWITHOUTTRUST
This attack on a Certificate Authority (CA) marked a significant point in the
history of cyber attacks. For the first time, a trust technology provider, the CA
itself, forced customers, including a national government, to warn the world
that they could not be trusted.
The attack took complete control of all eight of the company’s
certificate-issuing servers during the operation. Though it is unconfirmed, there
is a possibility the attacker may also have issued some rogue certificates that
have not yet been identified. What is known is that 300,000 Gmail accounts
were attacked. The attack also proved that a cyber debacle could ruin a
business, as the CA itself was forced out of business due to the incident.
OUT OF
BUSINESS
=
CA
DIGINOTAR
2011
13. DAMAGELEVEL:WOAGELEVEL:WORLDWITHOUTTRUSTDAMAGELEVEL:WORLDWITHOUTTRUSTRUST Code Signing Certificates, SSH Key Theft,
Server Key Theft & Weak Crypto Exploits
DAMAGE LEVEL: WORLD WITHOUT TRUST
DAMAGELEVEL:WORLDWITHOUTTRUST
FLAME
Designed to spread from one infected computer to other machines on the
same network using a rogue certificate, Flame allowed attackers to take
control of what noted cyber-war expert Richard Stiennon once referred to
as the "Holy Grail" of all potential cyber weapons – the Microsoft update
server. When infected computers updated, Flame intercepted the request
and instead of downloading the update delivered a malicious executable to
the machine that was signed with a rogue, but technically valid,
Microsoft certificate. While Microsoft closed the door on Flame in their
systems by issuing a patch, Flame essentially gave the blueprint to cyber
criminals to execute similar attacks.
UPDATE!
2012
In 2012, the number of malware signed by stolen certificates grows 10x
15. DAMAGELEDAMAGELEVEL:WORLDWITHOUTTRUSTDAMAGELEVEL:WORLDWITHOUTTRUSTHOUTTRUSTDAMAGELEVEL:WOAGELEVEL:WORLDWITHOUTTRUSTDAMAGELEVEL:WORLDWITHOUTTRUSTTRUSTDAMAGELEVEL:WORLDWITHOUTTRUST Code Signing Certificates, SSH Key Theft,
Server Key Theft & Weak Crypto Exploits
DAMAGE LEVEL: WORLD WITHOUT TRUST
Few are looking at the real problem:
600% = Year over year growth in compromised digital certificates in 2013
TURKTRUST
The CA issued two SSL intermediary certificates that could be used to
issue certificates for any domain. One of the intermediary certificates was
used to issue an SSL certificate put into use for google.com. Google
discovered the unauthorized certificate in January 2013 and noted that it
was from an intermediary CA that had obtained authority from a
TURKTRUST certificate. No foul play was suspected at TURKTRUST,
and the damage has yet to be fully assessed.
2013
16. DAMAGELEVEL:WORLDWITHOUTTRUST Code Signing Certificates, SSH Key Theft,
Server Key Theft & Weak Crypto Exploits
DAMAGE LEVEL: WORLD WITHOUT TRUST
In February, over 800 different trojans launched
designed to steal keys and certificates
BIT9 HACK
Hackers compromised this security provider's network and digitally
signed malware using Bit9's own encryption keys, which made it
impossible for customers using its cyber defense technologies to know
whether or not they were downloading legitimate files or malware. The
extent of the damage may never be fully known, but the company claims
to provide white-listing services for 30 Fortune 100 firms, almost
one-third of the largest companies in the world.
2013
17. DAMAGELEVEL:WORLDWITHOUTTRUSTUSTDAMAGELEVEL:WORLDWITHOUTTRUST Code Signing Certificates, SSH Key Theft,
Server Key Theft & Weak Crypto Exploits
DAMAGE LEVEL: WORLD WITHOUT TRUST
APT1
In what has been the most shocking and bold cyber attack revelation to
date, Mandiant revealed in its APT1 report that nation-backed,
China-based hackers had used self-signed digital certificates to
implant malware into hundreds of U.S. companies over a period of
several years. As part of the ground-breaking revelation, Mandiant stated
that 100 percent of the APTs used compromised digital certificates
that included keys and certificates.
2013
18. DAMAGELEVELDAMAGELEVEL:WORLDWITHOUTTRUSTDAMAGELEVEL:WORLDWITHOUTTRUSTOUTTRUSTDAMAGELEVEL:WORLDWITHOUTTRUST Code Signing Certificates, SSH Key Theft,
Server Key Theft & Weak Crypto Exploits
DAMAGE LEVEL: WORLD WITHOUT TRUST
2013
The Snowden compromise was not so much based on malicious code,
but the blind trust organizations have on keys and certificates, while
highlighting the lack of control and visibility into these cryptographic
assets that provide insiders unfettered access to highly sensitive
systems. Snowden used fabricated digital keys to elevate his
privileges and gain access to sensitive information.
USERNAME:
PASSWORD:
SNOWDEN