wizlynx group © 2017

Dark Web – Use it at your advantageDas Dark Web – Setzten Sie es mit

Cyber Threat Intelligence zu Ihrem Vorteil ein

Andreas Crisante / Christian Fichera

@ Meet Swiss Infosec June 2017

© 2017

Christian Fichera Senior Cyber Security Consultant @ wizlynx group

10+ years’ experience in secure web application development

Penetration Testing & Secure code review specialist

Web and Mobile application security assessments

Project manager

Basel, Switzerland

Andreas Crisante

Senior Cyber Threat Intelligence Advisor @ wizlynx group

Degree in Information Security

27+ years practical experience and business expertise spanning all

aspects of information technology management, thereof 16 years in

Cyber Security

Large experience in defining and providing IT-Security strategies,

Cyber Security concepts, IT-Security and Risk-Management,

Collaboration Technologies, Search and

Knowledge Management

Basel, Switzerland

© 2017

About wizlynx group HQ in Switzerland, global presence

A strong Cyber Security service provider• Extensive experience in Security Reviews (Penetration Testing and

Ethical Hacking, Information Security Audits

• Infrastructure and network security solutions

• Managed Cyber Security Services

• Incident Response

• Cyber Threats Intelligence

• Complemented with high level of competency in ISEC,

Quality & Project Management for enterprise IT organizations.

Portfolio of services (excerpt): • Pen Tests & Ethical Hacking to assess devices, networks, services,

applications for vulnerabilities. Social Engineering to assess awareness

of humans

• PMO Services, Project, Quality, Engineering and Cyber Competence

Centers

• 24/7 Infrastructure & Security Operations Center

Numerous credentials and extensive experience in:• Pharmaceutical, banking, insurance, telecom, nutrition, and IT industries

exclusive partner for Switzerland

© 2017

wizlynx Services Portfolio

Security

Managemen

t

Lifecycle

wizlynx Security As a

Service

Operate and Maintain• 7/24 Monitoring of Security Infrastructure

• Analyze of security events from the various sources

• Depending on SLA: up to full management of SecurityEvents

• Forensic analysis support in case of security breaches

• Incident Handling

• Cyber Threat Intelligence

wizlynx InfoSec Consulting

Policy & Controls

• Identification of threat profile of the organization

• Plan and organize ISMS

• Develop security architectures at organizational level

• Definition of applicable Security Controls for the ISMS domains

wizlynx Design & Integration

Design & Architecture

• Design & Architecture of Security Infrastructures

• Develop security architectures at an application, network and component level

• Identify solutions per architecture level

• Pro-active reduction of vulnerabilities to reducethe impact of possible threads

wizlynx Security

Assessments

Assess• Accurate identification of systems

• Accurate identification of vulnerabilities application, network and component level

wizlynx IT-Risk Assessments

Threat/Risk Management

• Assessment of thread severities

• Prioritization of remediation efforts

• Managing IT-Risk on

© 2017

THE DARK WEB

© 2017

The Web’s Layers

DEEP WEBpartly visible, mostly hidden, requires

special access with authentication

DARK WEBhidden, difficult to find, need specific

access technologies

SURFACE WEBvast, exposed, easy access

© 2017

Dark Web: a Distributed Anonymization NetworkTechnology

P2P network of many loosely-connected hosts running special clients

Participating hosts have multiple roles (Client, Relay, Exit Node)

Communication is masked and encrypted

Requests “hopping” through network to hide origin and/or destination

The access to the content can be restricted to the Dark Web only

(so called “hidden service”)

Addresses use specific designation

(e.g. “t5dh587hhsg09xi809.onion”)

Dark Web provides anonymity to both Sites and Users

© 2017

History of the Deep/Dark Web.

Source: Trend Micro

© 2017

Electronic

Devices

E-Commerce

Accounts

Bank

Account

Information

Credit Cards

Malwares &

Exploits

Botnet Rental

Personally

Identifiable

Information

Hitman

For Hire

Counterfei

t

Money

Hacker For Hire

Drugs

Prescription

Drugs

Weapon

s

What is the Dark Web?Content, Services & Products

Collection of Un-indexed and Anonymous websites

Marketplaces, Forums, Wikis, Blogs, etc.

Intelligence Exchange

Market place for Remote Access Trojans, Exploits, Malwares,

stolen accounts, DBs of stolen data, PII data, malicious

services like “Rent a botnets” or “Rent a DDoS attack”, and

more!

Bitcoin as main currency

© 2017

Hitman for Hireexamples

© 2017

Weapons examples

© 2017

And moreexamples

© 2017

Underground Forums

© 2017

Hacker For Hire examples

© 2017

DARK WEB AND CYBER SECURITY ?

© 2017

Only a small part of attacks originate from Dark Web

The present protection mechanism and systems are remaining effective to a certain extend

SIEM systems can identify TOR traffic, C&S traffic, Cryptolocker attacks

Dark Web camouflages the attack origin

The attacks are analogous to public internet

Restricts preemptive detection and research, discovery of attack chain

Restricts real-time identification of threat actor

Restricts post-breach forensic investigations

Latest malware patterns in the outbreak analyzed are indicating Dark Web integration

Direct Threats from Dark Web?A new channel for old attacks

How big is the risk for an organization?

© 2017

Attacks from the Dark Web mainly with HTTP-based delivery

SQL Injection, Vulnerability Scans primary attacks discovered

Stimulus for attack from the Dark Web

Delivery of malicious code

C&C (Command&Control) servers

DDOS used to stage “decoy attacks”

Delivery of valuable information

Intelligence exchange

Marketplace for exploits, hacker tools, etc.

Attacks from Dark Web How is the Dark Web used by Hacker

"Knowledge is

Power”

(Sir Francis Bacon, 1597, English

philosopher, statesman, scientist)

© 2017

NEW AGE OF CYBER SECURITY

LEVERAGING WEB(S) INTELLIGENCE

© 2017

New Age of Cyber Security

Perimeter ControlsIntelligence and

IntegrationCooperation, Cognition,

& Preemptive

© 2017

Real-Time Monitoring

Alerts & Early Warnings Qualitative and quantitative

research and analysis

Reporting

wizlynx CTI (Cyber Threat Intelligence) powered by

© 2017

Cyber Threat Intelligence allows the

visibility into the latest malwares, exploits and threat vectors

identification organization’s information in the Dark Web and use it as an

Indicator of Compromise (IOC)

detection of upcoming attacks before they become active

identification of compromised accounts and computers of your organization

detection of stolen credit card information

discovery whether the organization’s confidential information or even trade

secrets have become publicly available

identification of Phishing and Cybersquatting attacks

The automated and fast processing of hidden big data, difficult to find with need

of specific access technologies

Cyber Threat Intelligence = Cognition Security Preemptive tailored Cyber Security Protection

Unstructured Data

Cognitive Analytics

Preemptive Security

© 2017

Sources

Open Sources Sample Closed Sources Sample

Social Media – Facebook RSS, Twitter, YouTube Closed forums & marketplaces

Web based communities Criminal infrastructure hosting malicious attacks

User generated content – wikis, blogs & video

sharing sites

Malware hunting in the dark net

Public & Academic data Honeypots

Pastebin Automated sink holing

Search engines CERT collaboration

IRC Malware sandbox combined with human analysis

Malware databases (e.g. Virus Total) Spam mailboxes

Zeus Tracker Hacking & underground forums including zero-day

exploit forums

© 2017

Provides an organization with 5 unique capabilities – allowing to perform the following actions on cyber

threat intelligence

Collection From multiple sources and in multiple formats

Correlation Intelligence across all the modules

Categorization Malware family, bot IP’s, MD5

Integration into 3rd security tools

Action Take intelligence to create custom YARA[*] rules to dissect malware

Available as

SaaS

full Managed Security Service

wizlynx CTI (Cyber Threat Intelligence) powered by

High level features

[*] YARA = open source tool with

Perl-compatible Expressions, used to

examine suspected files/directories

and match strings.

© 2017

Credit Card Theft• Create proactive cyber security strategy to prevent credit card fraud

• Block stolen credit cards

• Protect corporate cards and VIPs from non-authorized purchases

• Insurance costs reduction due to control/credit card fraud mitigation

wizlynx CTI is divided into distinct yet at the same time integrated modules allowing companies to choose

to specific modules that suits their business needs.

wizlynx CTI (Cyber Threat Intelligence) powered by

Features

Botnet and Command & Control• Detect infections in critical servers, VIP users, and clients

• Protect by recovering stolen user IDs and passwords

• Proactive, realtime awareness of crime servers, track and block

Targeted Malware• Track malware & mobile malware trends to detect targeted malware.

• Connect internal network analysis appliances to send malicious

binaries for analysis into a cloud-based elastic sandbox

• Early warnings of information theft or leaks due to a malware attack

Rogue Mobile apps• Identifies false, infected, modified, or copied apps - as well as apps

performing brand abuse activities.

Hacktivism• Live threat data, which can be streamed into SIEM

• Early warning of information and credentials theft or leaks

• Vulnerability analysis specific to applied technology

• Hacktivism global overview, including active operations/geo location

Data leakage• Detecting information leaks from third parties, such as

outsourcing, consultants, audit, and other partners

• Delivering a list of documents w/ information organization

• Gather “classified” documents/information publicly available

Brand abuse• Abuse and Social Monitoring Module monitors online presence to

identify brand abuse, reputation damage, and other forms of

attacks on your brand.

Phishing & Cyberquatting• Combats attacks by detecting attempts to acquire sensitive

information by masquerading as a trusted entity, by detecting

similar domains used to replace company’s original domains

Media tracker• Monitor sources mentions with potential impact to brand reputation.

• Identify news/media activity threatening the organization’s security.

• Filter news and media sources easily with sophisticated search

functionality.

© 2017

DEMO

SECURITY NOTE

NO

PHOTOS

NO

VIDEOS

ALLOWED

!

© 2017

Consistent blocking of attacks

and remove vulnerabilities

Interrupt malware and

exploits

Discover and protect

endpoints

PREVENT

RESPOND

DETECT

Concise and quickest possible

Incident Management

Score and improve your

incident response

capabilities

Locate indicator of

compromise

Identify unknown threats against your

enterprise with intelligence and

analytics

Discover attacks across your

organization

Percept abnormal behaviors

Prioritize threats

Summary

"Knowledge is

Power”

(Sir Francis Bacon, 1597, English

philosopher, statesman, scientist)

© 2017

Danke.

Thank you.

Obrigado.

谢谢.

Terima kasih.

Gracias.

Andreas Crisante

Senior Cyber Threat Intelligence Advisor

andreas.crisante@wizlynxgroup.com

Christian Fichera

Senior Cyber Security Consultant

christian.fichera@wizlynxgroup.com

Wizlynx AG

Hauptstrasse 11

4102 Binningen

Switzerland

Mobile: +41 79 320 83 55

andreas.crisante@wizlynxgroup.com

www.wizlynxgroup.com

© 2017

BACKUP SLIDES

© 2017

Provides a high quality feed of compromised credentials

Recovered credentials can belong to customers

Recovered credentials can belong to internal users

Recovered credentials can belong to 3rd party suppliers

Recovered credentials can belong to VIP’s

Our platform is the only platform to provide a stream of credentials recovered from a diverse range of

sources

The data provided is current and will give an organization actionable intelligence

If such a service was not in place, such credentials could be used to launch APT related attacks

Botnet Module Capabilities

© 2017

Provides a high quality feed of compromised credit cards

Recovered card details are time stamped

Corporate Cards and those belonging to VIP’s can be monitored in addition to retail & business

customers

Detailed MI to track card compromises by region

The only platform to provide a stream of card data recovered from a diverse range of underground

sources & POS compromises

The data provided can be fed via API directly into any middleware fraud engines deployed to provide

card blocking functionality in real time

Any entity involved in use of credit cards will see an immediate return on investment with higher rate

of compromised card detection

Credit Card Theft Module Capabilities

© 2017

Searches for documents and confidential information that belongs to your organization but should not

be publicly available

This solution complements existing controls as it can identify leaks that have for one reason or

another bypassed existing controls such as DLP systems

Example of sources being monitored in real time includes, but are not limited to: P2P Networks,

Google Docs, DropBox, …etc

Detect insiders leaking confidential information

Identify leaks bypassing DLP controls

Enhance DLP controls and secure better ROI

Detect information leakage from third parties

With increased business demand for BYOD this module can help identify information leakage

originated from mobile devices

Data Leakage Module Capabilities

© 2017

Detect illegal mobile applications that are being publicly published without your Organization's

authorization

We provide a real-time feed with following types of data:

Official Mobile App Markets

Alternative Mobile App Markets

Detect rogue applications and data theft

Detect new and legitimated applications that have not been authorized by the CISO & Identify blended

attacks (those involving malware)

Protects brand value: constant and active monitoring of mobile app stores for improved visibility of the

threats that are infringing your brand’s integrity, value, and reputation

Rogue Mobile App Module Capabilities

© 2017

Provides a high quality stream of cyber intelligence related to Hacktivism activity targeting your

organization

Identify groups and malicious actors targeting your organization

Early warning of planned attacks

Track and preserve information from across all forms of social media including Twitter, RSS , and

underground forums

Wizlynx platform is the only platform to provide and track detailed information across a diverse range

of social media

The platform can preserve the information captured from social media allowing for a detailed forensic

investigation at a later time

Take the information captured and feed directly into your SIEM solution

Hacktivism Module Capabilities

© 2017

Checks in real-time against emerging campaigns and known new malicious websites that are being

detected across organizations

Upload suspicious files into our solution’s for real time analysis and a complete technical report is

generated which can be viewed online. This report can be used to fingerprint the malware and aid in

the identification of infected devices on the corporate network

Static code analysis looking for suspicious behavior, obfuscated scripts, malicious code snippets, and

redirects to other malicious sites.

Dynamic analysis that sandboxes the destination, simulating a real user on a machine with a goal of

observing any changes made to the system.

Targeted Malware Module Capabilities

© 2017

Phishing websites can cost enterprises enormously. Without robust protection, a well coordinated

attack can leave the enterprise vulnerable to:

Financial losses

Reputation damages

Phishing feed can be stand alone or fed into an existing service to enhance detection capabilities

Ability to store and view snapshot of Phishing Site and Meta data for use during investigations

Real time alerting and reports of fraudulent Phishing URLs

Phishing Module Capabilities

© 2017

Detect abuse and misuse of your brand.

Prevents coordinated real-word attacks and brand dilution. Keeping abreast of brand-related issues in

community networks is now a crucial part of any brand protection strategy. Left unchecked, many

brand-related issues that start small in these social networks can quickly explode into full fledged brand

or public relation catastrophes in matter of days.

Example of sources monitored in real time includes but are not limited to: Vimeo, YouTube, Search

Engines, Google Images, Social networks

The unique stream of targeted brand abuse that is delivered will help to:

Aid legal and marketing teams to quickly move against malicious use of brand

Brand dilution and devaluation: examples include unauthorized use of brands, logos claiming

partnership affiliation or other endorsements, or on sites with objectionable content

Brand Abuse Module Capabilities