crime does pay (unless you get caught)

Crime DOES Pay(Unless you get caught)

Renana Friedlich, IR & Forensic Team LeaderHacktics Advanced Security Center, Ernst & YoungFebruary 2013

Crime DOES Pay – OWASP ConferencePage 2

Traditional Forensics

Digital Forensics

He’s tough, but we’ll make him talk.

Example – Bredolab

Russia

Netherlands France

Agenda

► Computer Crime Definition

► Crime Detection

► Dealing with an Incident► Jurisdiction

► Punishment

► Case Studies

► Summary and Recommendations

Computer Crime Definition

► What name would best describe this type of offense?

► Is it a new form of crime?

Computer as a weaponComputer as a target

Rising Above the Noise Level

Vectors that may lead to detection:

Security systems

ProportionsSubject of

attack

Relevant Parties for Detection

End Users

Security Vendors

HoneyNets

Local Police

And more …

Auditing Processes

Governmental Agencies

Top 10 Detected Incidents

► Verizon 2012 Data Breach Investigations Report

Category Attack Overall Rank

Rank @ Large Org.

Hacking Use of stolen login credentials 3 1

Malware Backdoor 6 2

Hacking Exploitation of backdoor C&C channel 7 3

Physical Tampering 9 4

Malware Keylogger/Form-grabber/Spyware 1 5

Social Pretexting (classic social engineering) 11 6

Hacking Brute force and dictionary attacks 5 7

Hacking SQL injection 15 8

Social Phishing (or any type of *ishing) 20 9

Malware C&C (listens for and executes commands) 22 10

Duration Until the Incident is Discovered

Early detection heavily depends on the organization’s security maturity level.

Regulatory Detection

Public Detection

Law Enforcement

Self Detection

0 20 40 60 80 100 120 140 160 180 200

Average time until detection( Days)

Dealing with an Incident

Common ways of dealing with an incident:

Internal Care Law Enforcement Entity

Regulations

Incident Severity

Local crime International crime

Law enforcement authorities ask for extradition

Accepted Denied

Jurisdiction

Punishment

The penalty usually depends on the following factors:

Financial damage

Current & potential damage

Offender intentions &

personal gain

Case Studies

Case Study 1

► Attacker: Pablo Escobar (James Jeffery)

► Victim: Abortions website

Case Study 2

► Attacker: Gary McKinnon

► Victim : USA military computers(“The biggest military computer hack of all time”)

► The US authorities tried to get an extradition

► Requested penalty: Up to 60 years in prison

Case Study 3

Take 1► Age – 19► Arrested for hacking to

computers at NASA, the Pentagon, and more.

► Didn’t try to get a hold of secrets, rather to prove that the systems were flawed.

Take 2

► Age – 28► Accused with charges of

conspiracy and fraud.► Increased or deleted cards

limit, then sold the stolen credit card numbers in the black market.

Case Study 3

1.5 years in prison 3 years probation + $503,000 fine

Summary

► The chances of getting caught are slim.

► Even if an offender does get caught, there is a long way to go before he may stand trial.

► Since so “MANY” stand trial, penalty is disproportionate.

And the Conclusion Is …

Crime Does Pay …

Recommendations

Save logsPoor

Continuous log monitoringModerate

Build incident response capabilitiesGood

How good is your detection mechanism…?

Thank you.

Renana Friedlich,Incident response & forensic team leaderRenana.Friedlich@il.ey.com, 054- 2661260

crime does pay (unless you get caught)

Documents

caught reading3

caught-in hazards

4 caught between

common texas sunfish › ... › pwd_lf_k0700_0692a.pdf ·...

template for ieee/pes technical reports - ieee power and ......

caught act jhadae2

wild-caught seafood

wild caught frogs

designing out crime · police is property related, and...

caught reading!

caught in motion

document resume ed 387 744 cg 026 524 title caught in the...

caught in crossfire

caught reading2

caught redd handed

bernard tyson caught

caught on fim

caught on camera

a beautiful mind meets free...

state smallmouth record caught in cape vincent, new...