interacting with the fbi regarding cyber incidents

Interacting With the FBI Regarding Cyber Incidents

Martin J. McBrideSupervisory Special Agent

Computer Intrusion ProgramFBI New Haven Field Office

2

FBI Priorities

• The FBI focuses on threats that • challenge the foundations of American society or • involve dangers too large or complex for any local or state authority to

handle alone.

• In executing its priorities, the FBI—as both a national security and law enforcement organization—will • produce and use intelligence to protect the nation from threats• bring to justice those who violate the law

3

FBI Priorities1. Protect the United States from terrorist attack2. Protect the United States against foreign intelligence operations and espionage

3. Protect the United States against cyber-based attacks and high-technology crimes4. Combat public corruption at all levels5. Protect civil rights6. Combat transnational/national criminal organizations and enterprises7. Combat major white-collar crime8. Combat significant violent crime9. Support federal, state, local and international partners10. Upgrade technology to successfully perform the FBI’s mission

4

FBI Cyber Priorities Cyber Program investigations include

o Computer intrusions targeting the national information infrastructure

o Other Internet-facilitated criminal activity• Significant Internet Fraud, for example

Highly organized Large dollar amounts (hundreds of thousands) Large victim population

o Supports FBI priorities across Program lines

5

FBI Cyber Priorities

• Imminent threats using the Internet, including social media, as the communication delivery system • Threats can include either

• property destruction• bodily harm

• Specific and feasible• “I am going to bring my AR-15 to school tomorrow morning and take out

as many targets as I can before police arrive and stop me.”• Is the individual making the threat geographically local to the school• Does the individual have access to an AR-15 and appropriate ammunition

• Threat is assumed feasible until confirmed otherwise• Likely worked in coordination with VCMO

6

FBI Cyber Priorities

In assessing case priorities• Field Offices, like New Haven, coordinate with the FBI’s

Cyber Division, consisting of• Specialized Threat Units• National Cyber Investigative Joint Task Force (NCIJTF)

19 intelligence and law enforcement agencies Goal:

o Predict and prevent what’s on the horizono Pursue the enterprises behind cyber attacks

• The Internet Crime Complaint Center (IC3)• Cyber Initiative & Resource Fusion Unit (CIRFU)

7

Investigating Cyber Crime

• Objectives• Important terminology to know• Recognizing bad things on the Internet• Current case scenarios• Investigating internationally• Reaching out to Law Enforcement

• Who, what, where, why, when, and how

Important Terminology to Know

• IP address• 192.168.1.205

• Domain Name System (DNS)• www.bestvideos.info

• DNS Servers• Link DNS names to IP addresses

• Static IP address• Permanently assigned to a specific network card

http://www.bestvideos.info/

9

Important Terminology to Know• Dynamic IP address

• Temporarily assigned to a computer• Turned in when not in use so that other computers can use it

• Dynamic DNS• Used to resolve a domain name to an IP address that may

change frequently (dynamic IP)• Dynamic IP addresses present a problem for DNS resolutions• Abused by cyber criminals

• Help in bypassing IP blacklisting• Domain names can continued to be used by employing constantly-

changing IP addresses

10


• Denial of Service (DoS) Attack• An attack against a computer or network that causes the

computer or network to be inaccessible for a period of time

• Botnet• Large network of computers controlled by a small number

of computers (C2 – Command & Control)

• Distributed DoS (DDoS) Attack• Use of Botnet to overwhelm a computer network with

inbound traffic in order to make the network inaccessible

11

Example 4?

12


• Ransomware• Malware installed on a computer

• Gives the installer the ability to lock a computer remotely• Malware often generates a pop-up window, webpage, or email warning

• Looks like it comes from an official authority• Holds your computer hostage until you pay a fee to get it unlocked

13

Ransomware

• How is ransomware installed?• User opens a malicious email attachment or clicks a malicious link

• E-mail message • Instant message • Social networking site

• Can also be installed when a user visits a malicious website

14

Ransomware

• Defense against Ransomware• Maintain software patches and AV protection• Backup your important data and programs

• Recovery• Pay ransom and pray decrypt code is provided• Restore to a good pre-infection backup

15


• Advanced Persistent Threat (APT)• an unauthorized person gains access to networks and stay there

undetected for long periods of time

• Consider five signs of possible APT attacks

16

APT Sign #1

• Abnormal logon activity• High volume of elevated log-ons

• Outside normal work hours • Attackers may live in different time zones• Intentionally avoid detection when system is being watched

• Use of old, unused accounts• Account names don’t match current naming convention• Administrative accounts

17

APT Sign #2

• Widespread backdoor Trojans• Used to ensure intruders can always get back in• Often deployed through social engineering

• E-mail from a known account that has been compromised• Malicious attachment

• Spear phishing

18

APT Sign #3

• Unexpected data flows• Large, unexpected flows of data from internal origination points to:

• Other internal computers• Unexpected external computers

• In order to detect APT, you have to know what normal looks like

19

APT Sign #4

• Discovering unexpected data bundles• APTs often aggregate stolen data to internal collection points before

moving it outside• Look for large chunks of data in places where that data should not be

• For example: compressed archive files not normally seen• ACE, Zip, RAR

20

APT Sign #5

• Pass-the-hash hacking tools left behind• Pass-the-hash - technique that allows a hacker to

authenticate to a remote server/service• Uses the underlying hash of a user's password • No need to know the associated plaintext password

• Hackers often forget to delete these tools • Available for discovery by network security sweeps

Internet - Recognizing Bad Things

• Indicators of a Scam• Too good to be true, MOST LIKELY IT IS A SCAM!• Scams are started in a variety of ways

• unsolicited email messages• online relationships• online advertisements• online job offers• online purchases, auctions, etc.• unsolicited phone calls

• Use of difficult-to-trace money transfer services • Western Union, GreenDot, BitCoin, other uninsured online currencies

• Use of foreign countries for movement of money

22


• Indicators of a Scam• Sending payment to someone other than the seller• Accepting payment from someone other than the buyer• Payment is significantly MORE than the selling price• Winning the lottery that you did not enter• Asked to pay money to receive a large inheritance• Job ads

• Paid a commission for accepting money transfers• Paid a commission for cashing checks

• Change their story to counter your objections• Want to make you feel sympathy for them and guilt for not helping

23


Long-Running Examples

24


25


26


27


28


Phishing

29


30


31

Internet – Determine Authenticity

• Reading e-mail headers• Viewing full headers vs. normal headers• Bottom up is the key

32

Internet – Determine Authenticity

• Tracking Tools• Whois

• Look up ownership of Internet identifiers• Domain names• IP addresses

• Ping• Traceroute• Reverse IP

Man-in-the-Email Scenario 1

Spoofing e-mail header to establish bona fideso Introduce new player who will conduct the transactionso New player now acts on behalf of your boss

• Transfer money for accounts payable• Account given is owned by scammers

o Money is transferred to scam account• Likely somewhere off shore

40


Same as Scenario 1 except it began with a telephone call and was followed up by the e-mail spoofing the CEO’s e-mail addresso Third person introduced to conduct transactionso Employee was instructed to talk to no one about this

project which was a special assignment directly from the CEO.

o Multiple money transfers under $10k were used to “avoid security checks”.

41


Intercept legitimate e-mail traffic Insert yourself into the e-mail conversation using a

domain that looks very similar to the legitimate domaino Include previous message thread so that it looks like a

continuous communication Change payment information

o Divert payment to an account controlled by scammer(s)

47

Reverse Social Engineering

Power Company Intrusiono Vulnerable billing system

Gathered data on target’s customerso Customer Nameo Addresso Telephone #o E-mail addresseso Account #o Billing information

• Due dates, amounts due, recent payment history, etc.

48

Reverse Social Engineering-continued-

Used caller ID spoofing to spoof customer telephone numbers for easier account access

Armed with all the customer data they had gathered, the scammers now called the customers by making the scammers appear to be the Power Company

Called customers and said their most recent bill hadn’t been paid and power will have to be shut off if payment isn’t received within 30 minuteso Used data acquired from Power Company intrusion to authenticate with customero Provided two options for making payment within 30 minutes

• Go to nearest customer service center (always more than 30 minutes away)• Go to CVS and purchase GreenDot card and provide card info to make payment

49

Hop Points

One objective of APT is to acquire and use Hop Points to remain undetected

Means to avoid raising suspicions based on IP addresseso Hop Points can be geographically near targeto Network entry and data exfiltration

Otherwise non-descript computers can be used to facilitate the undetectable theft of trade secrets and other National Security information

50

The Big Cases2014 - present

Target, Home Depot, Sony, Anthemo Intrusions that compromise enormous amounts of

Personally Identifiable Information• Adversaries use data to identify government and military

personnel• Criminals use data to capitalize it

Sell data to other criminals Create fake credit cards for ATM and POS transactions Use for online purchasing Steal identities

o Revenge/coercion• Sony, for example

51

The Big Cases2014 - present

Realized harmo Damage to company reputationo Damage to U.S. economyo Consumer distrust of e-commerce

• Usually an uninformed distrust Point-of-Sale (POS) data compromised rather than Internet sale data

If you make yourself a target, you WILL BE COMPROMISED!!!

Investigating Internationally

What to do when the criminals operate exclusively beyond U.S. borders?o Establish global law enforcement presence

• FBI Legal Attaches (LEGAT) Global coverage from more than 60 embassies

• Interpol• Mutual Legal Assistance Treaties (MLAT)

53

Romanian Phishing Case Study

Case begins in June 2005 o InfraGard member received a phishing e-mail from Peoples

Banko Member did not have an account with Peoples Bank and

immediately recognized it as phishing A spoofed e-mail address and images were created

to produce look and feel of Peoples Bank E-mail contained a link to a phishing web site

unwittingly hosted in Minnesota

54

Romanian Phishing Case Study Unwitting owner of phishing web site provided copies of files

used to produce the web siteo From the scripts, it was determined that phished data was sent to an

e-mail collector account, [email protected] Search warrants and subpoenas to Yahoo! and various ISPs revealed a

connection to Romania

mailto:[email protected]

55

Romanian Phishing Case Study Investigative assistance provided by Peoples Bank revealed

numerous ATM withdrawals made in Romania using phished data

The LEGAT in Bucharest brought into the investigationo The LEGAT worked closely with the Romanian National Police (RNP) in

a joint investigation

56

Romanian Phishing Case Study Joint international investigation

o Allowed informal sharing of information outside of the burdensome and time-consuming MLAT process• MLAT process was still necessary for the collection of

evidence that could be legally used for prosecutiono More than 20 Romanian citizens were identified as

being involved in phishing schemes• Identifications based on

Numerous search warrants to Yahoo!, Google, and other U.S. ISPs Corroboration of Romanian IP addresses and official identification

documents by the RNP

57

Romanian Phishing Case Study Timeline

o 13 Jun 2005 – case begins from e-mail receipto Aug 2005 – first of many search warrants issuedo 18 Jan 2007 – seven Romanians indicted in CTo Feb 2007 – Interpol Red Notices issuedo 6 Jun 2007 – First arrest (OINR) made in Bulgaria

• OINR was transiting Bulgaria for vacation in Turkeyo 8 Nov 2007 – extradition of OINR from Bulgariao 17 Apr 2008 – FBI investigative technique in phishing case

helps RNP locate their subject in an eBay fraud caseo 19 May 2008 – FBI Los Angeles indicts 33 in similar case and

CT case gets unsealed due to overlap

58

Romanian Phishing Case Study Timeline – continued –

o 22 Jul 2008 – OINR is convicted of phishing chargeso 20 Jan 2009 – PBB arrested in Canada

• Had moved from Romania to Canada during investigation

o 30 Mar 2009 – OINR sentenced to 50 months in U.S. prisono 18 Jul 2009 – CIT arrested in Croatia

• Was working on a cruise ship that had docked there

o 8 May 2009 – Signing ceremony for the “Protocols of Exchange of Instruments of Ratification for the U.S.-Romania Mutual Legal Assistance Protocol and the U.S.-Romania Extradition Treaty”• Extradition Treaty updated

59

Romanian Phishing Case Study

60


o 4 Sep 2009 – CIT arrives in CT without contesting extraditiono 25 Sep 2009 – PBB extradited from Canadao 14 Jan 2010 – CIT pleads guilty to CAN-SPAMo 18 Feb 2010 – CIT sentenced to 7 monthso 5 Aug 2010 – PBB pleads guilty to phishing chargeso 10 Nov 2010 – fourteen new indictmentso Between Dec 2011 and Nov 2013, nine Romanians were

arrested and extradited directly from Romania

61


o 3 Dec 2012 – NDD pleads guilty at jury selectiono Dec 2012 – BB only defendant to go to trial

• Convicted on both counts charged

o 15 May 2013 – IS arrested in Swedeno 10 Jun 2013 – BB sentenced to 80 monthso 13 Jun 2013 – NDD sentenced to 78 monthso 12 Sep 2013 – IS extradited to CTo 23 Apr 2014 – IS pleads guiltyo 17 Jun 2014 – PBB sentenced to 22 monthso 8 Jul 2014 – IS sentenced to 45 months

62

Romanian Phishing Case Study Results

o 13 Arrests• 1 Bulgaria, 1 Canada, 1 Croatia, 9 Romania, 1 Sweden• None had ever been to the United States

o 13 Extraditions from 5 different countrieso 13 Convictions

• 12 guilty pleas and 1 at trial

o 13 Sentences ranging from 7 – 80 months• Average around 50 months

o First extradition for computer crimes committed by someone who had never been to the U.S.

o First extraditions directly from Romania of Romanian citizens

Reaching out to Law Enforcement

• Who, what, where, why, when, and how• Who

• KNOW IN ADVANCE WHO YOU WILL CALL!!!• Large Businesses

• FBI, USSS, Postal Inspectors, State Police

• Small Businesses• IC3, State Police, FBI, USSS, Postal Inspectors

• Individuals• IC3 (www.ic3.gov), Local Police, State Police

• Call a known person• Calling publically listed numbers is BAD PLANNING!• Verify at least annually your contact information

http://www.ic3.gov/

64


• What• Computer intrusions and Internet-facilitated criminal activities

• Loss or no loss• National Security investigation• Criminal investigation, if loss is significant• Referral to other resources (e.g. IC3)

• If loss is less significant• Intelligence collection

• Valuable in all cases of mischievous cyber activity

65


• Where• Agency responsible for

• Location of intrusion• where are the computers?

• Location of Subject• Often not known until deep into investigation

• Company headquarters• If HQ is better equipped to assist with investigation

66

Reaching out to Law Enforcement Why

o Because the security of the Internet is a global community concern• All of us need to work together on this• A secure Internet will boost every legitimate business• A non-secure Internet may knock out some competition, but the bottom

line of the survivors will not reap the benefits that a secure Internet can provide

67


Wheno After the dust settles

• Law enforcement is not equipped to be a first-responder for cyber incidents

• Too many proprietary variableso Executing business continuity plan is criticalo Collect as much information as you can before calling law

enforcement• Once law enforcement becomes involved, restrictions on gathering

evidence may attach• More information will help to determine if an investigation will be

opened and what, if any, public exposure the victim may face

68


Howo However you had it planned

• Work day, work hours• Work day, after hours• Weekend• Holiday• POC on vacation

@FBI

Federal Bureau of Investigation

FBI – Federal Bureau of Investigation

www.fbi.gov

http://www.fbi.gov/

@ADNETTech

@ADNETTechnologiesLLC

@ADNETTechnologiesLLC

www.thinkADNET.com

interacting with the fbi regarding cyber incidents

Presentations & Public Speaking