In this talk we will look at the current attacker community as well as the tactics and capabilities that are currently being leveraged against targets across the globe. We will then go into the financial mechanics behind both financial based cybercrime as well as nationstate espionage. We will touch on some of the scary capabilities of attackers and try to work thru the reason why we still aren’t seeing the broad scale destructive attacks that everyone has been predicting for years.
By Jim Walter, Senior Research Scientist, Cylance
Ensuring Technical Readiness For Copilot in Microsoft 365
Exploring the Capabilities and Economics of Cybercrime
1. Exploring the Capabilities and
Economics of Cybercrime
Recent Trends and Highlights
JIM WALTER
SENIOR RESEARCH SCIENTIST| CYLANCE
2. INTRODUCTIONS
JIM WALTER
Sr. Research Scientist w/ Cylance
Previously ran Threat Intelligence
and Advanced Threat Research
efforts at McAfee / Intel Security
(1998-2015)
3. OVERVIEW
Current Attacker Community /
Climate
Current Campaign and TTP
Highlights
Mechanics
Mitigations & Countermeasures
Conclusions
4. Statistics
Cybercrime
Average Annualized Cost = 9.5 Million
21% Increase in total cost over 2015
Global cost of Cybercrime in FY2016 = ~ 460 Billion
“Malware” dominates attack ‘types’ in 2016
Information loss/theft is now the most costly consequence of cybercrime
23. Mitigations and Countermeasures
Take Note . .
A majority of malware is single-use or target/host specific.
A majority of malware does not end up in-the-wild or on VT or similar sharing
sites/services.
24. Mitigations and Countermeasures
In 60% Of Cases, Attackers Are Able To Compromise An
Organization Within Minutes.
99.9% Of The Exploited Vulnerabilities Were
Compromised More Than A Year After The CVE Was
Published
95% Of Malware Types Showed Up For Less Than A
Month, And Four Out Of Five Didn’t Last Beyond A
Week.
70–90% Of Malware Samples Are Unique To An
Organization.
25. Mitigations and Countermeasures
Just under 1500 ‘malware-related’ breaches in 2016
(opposed to physical theft, miscellaneous hacking,
social engineering and more)
“Analysis of one of our larger datasets showed that 99%
of malware hashes are seen for only 58 seconds or less.
In fact, most malware was seen only once. This reflects
how quickly hackers are modifying their code to avoid
detection.”
26. Mitigations and Countermeasures
What to do?
Signatures and traditional methods will never keep up.
Learn from the past and smarten your countermeasures.
AI /or Machine Learning lead to true prevention and
application of updated methodology to endpoint protection.
Src: Ponemon 2016 HPE CCC GLOBAL REPORT FINAL 2
Numbers vary depending on report but main takeaway – billions and growing.
Src: Ponemon 2016 HPE CCC GLOBAL REPORT FINAL 2
Herjavec Group.
** http://www.pwc.com/gx/en/economic-crime-survey/pdf/GlobalEconomicCrimeSurvey2016.pdf
Src: Ponemon 2016 HPE CCC GLOBAL REPORT FINAL 2
Pon – eh - men
Src: Ponemon 2016 HPE CCC GLOBAL REPORT FINAL 2
Note Overlaps in categories
Note issues with 2nd item and Dwell time (DBIR)
Src: Ponemon 2016 HPE CCC GLOBAL REPORT FINAL 2
Note Overlaps in categories
Note issues with 2nd item and Dwell time (DBIR)
DBIR
dbir
dbir
dbir
dbir
Recon / Scanning done via Jexboss. Scans for a set of specific JBOSS vulnerabilities. Depending on what is found, the attacker then has the option to initiate attack. Very similar to using metasploit or cobaltstrike in that respect.
. Hosts that report to AD are identified via csvde.exe, and the results are written to a csv file.
Much control is manual via reGeorg – tunneling RDP over HTTP
Attackers then generate the key pair for the ransomware and upload the ransomware along w/ public key data to accessible systems via batch file.
In most cases they are also scripting the deletion of Volume Shadow Copies (VSS). This is very common in recent ransomware attacks.
Additional scripts (batch files ) are used to launch the ransomware via repackaged version of psexec.
Ransomware self-deletes via Microsoft’s sdelete.exe after encryption is complete
Recon / Scanning done via Jexboss. Scans for a set of specific JBOSS vulnerabilities. Depending on what is found, the attacker then has the option to initiate attack. Very similar to using metasploit or cobaltstrike in that respect.
. Hosts that report to AD are identified via csvde.exe, and the results are written to a csv file.
Much control is manual via reGeorg – tunneling RDP over HTTP
Attackers then generate the key pair for the ransomware and upload the ransomware along w/ public key data to accessible systems via batch file.
In most cases they are also scripting the deletion of Volume Shadow Copies (VSS). This is very common in recent ransomware attacks.
Additional scripts (batch files ) are used to launch the ransomware via repackaged version of psexec.
Ransomware self-deletes via Microsoft’s sdelete.exe after encryption is complete
Recon / Scanning done via Jexboss. Scans for a set of specific JBOSS vulnerabilities. Depending on what is found, the attacker then has the option to initiate attack. Very similar to using metasploit or cobaltstrike in that respect.
. Hosts that report to AD are identified via csvde.exe, and the results are written to a csv file.
Much control is manual via reGeorg – tunneling RDP over HTTP
Attackers then generate the key pair for the ransomware and upload the ransomware along w/ public key data to accessible systems via batch file.
In most cases they are also scripting the deletion of Volume Shadow Copies (VSS). This is very common in recent ransomware attacks.
Additional scripts (batch files ) are used to launch the ransomware via repackaged version of psexec.
Ransomware self-deletes via Microsoft’s sdelete.exe after encryption is complete
Recon / Scanning done via Jexboss. Scans for a set of specific JBOSS vulnerabilities. Depending on what is found, the attacker then has the option to initiate attack. Very similar to using metasploit or cobaltstrike in that respect.
. Hosts that report to AD are identified via csvde.exe, and the results are written to a csv file.
Much control is manual via reGeorg – tunneling RDP over HTTP
Attackers then generate the key pair for the ransomware and upload the ransomware along w/ public key data to accessible systems via batch file.
In most cases they are also scripting the deletion of Volume Shadow Copies (VSS). This is very common in recent ransomware attacks.
Additional scripts (batch files ) are used to launch the ransomware via repackaged version of psexec.
Ransomware self-deletes via Microsoft’s sdelete.exe after encryption is complete
Recon / Scanning done via Jexboss. Scans for a set of specific JBOSS vulnerabilities. Depending on what is found, the attacker then has the option to initiate attack. Very similar to using metasploit or cobaltstrike in that respect.
. Hosts that report to AD are identified via csvde.exe, and the results are written to a csv file.
Much control is manual via reGeorg – tunneling RDP over HTTP
Attackers then generate the key pair for the ransomware and upload the ransomware along w/ public key data to accessible systems via batch file.
In most cases they are also scripting the deletion of Volume Shadow Copies (VSS). This is very common in recent ransomware attacks.
Additional scripts (batch files ) are used to launch the ransomware via repackaged version of psexec.
Ransomware self-deletes via Microsoft’s sdelete.exe (embedded in ransomware executable) after encryption is complete
Recon / Scanning done via Jexboss. Scans for a set of specific JBOSS vulnerabilities. Depending on what is found, the attacker then has the option to initiate attack. Very similar to using metasploit or cobaltstrike in that respect.
. Hosts that report to AD are identified via csvde.exe, and the results are written to a csv file.
Much control is manual via reGeorg – tunneling RDP over HTTP
Attackers then generate the key pair for the ransomware and upload the ransomware along w/ public key data to accessible systems via batch file.
In most cases they are also scripting the deletion of Volume Shadow Copies (VSS). This is very common in recent ransomware attacks.
Additional scripts (batch files ) are used to launch the ransomware via repackaged version of psexec.
Ransomware self-deletes via Microsoft’s sdelete.exe (embedded in ransomware executable) after encryption is complete