interacting with the fbi regarding cyber incidents
TRANSCRIPT
Interacting With the FBI Regarding Cyber Incidents
Martin J. McBrideSupervisory Special Agent
Computer Intrusion ProgramFBI New Haven Field Office
2
FBI Priorities
• The FBI focuses on threats that • challenge the foundations of American society or • involve dangers too large or complex for any local or state authority to
handle alone.
• In executing its priorities, the FBI—as both a national security and law enforcement organization—will • produce and use intelligence to protect the nation from threats• bring to justice those who violate the law
3
FBI Priorities1. Protect the United States from terrorist attack2. Protect the United States against foreign intelligence operations and espionage
3. Protect the United States against cyber-based attacks and high-technology crimes4. Combat public corruption at all levels5. Protect civil rights6. Combat transnational/national criminal organizations and enterprises7. Combat major white-collar crime8. Combat significant violent crime9. Support federal, state, local and international partners10. Upgrade technology to successfully perform the FBI’s mission
4
FBI Cyber Priorities Cyber Program investigations include
o Computer intrusions targeting the national information infrastructure
o Other Internet-facilitated criminal activity• Significant Internet Fraud, for example
Highly organized Large dollar amounts (hundreds of thousands) Large victim population
o Supports FBI priorities across Program lines
5
FBI Cyber Priorities
• Imminent threats using the Internet, including social media, as the communication delivery system • Threats can include either
• property destruction• bodily harm
• Specific and feasible• “I am going to bring my AR-15 to school tomorrow morning and take out
as many targets as I can before police arrive and stop me.”• Is the individual making the threat geographically local to the school• Does the individual have access to an AR-15 and appropriate ammunition
• Threat is assumed feasible until confirmed otherwise• Likely worked in coordination with VCMO
6
FBI Cyber Priorities
In assessing case priorities• Field Offices, like New Haven, coordinate with the FBI’s
Cyber Division, consisting of• Specialized Threat Units• National Cyber Investigative Joint Task Force (NCIJTF)
19 intelligence and law enforcement agencies Goal:
o Predict and prevent what’s on the horizono Pursue the enterprises behind cyber attacks
• The Internet Crime Complaint Center (IC3)• Cyber Initiative & Resource Fusion Unit (CIRFU)
7
Investigating Cyber Crime
• Objectives• Important terminology to know• Recognizing bad things on the Internet• Current case scenarios• Investigating internationally• Reaching out to Law Enforcement
• Who, what, where, why, when, and how
Important Terminology to Know
• IP address• 192.168.1.205
• Domain Name System (DNS)• www.bestvideos.info
• DNS Servers• Link DNS names to IP addresses
• Static IP address• Permanently assigned to a specific network card
9
Important Terminology to Know• Dynamic IP address
• Temporarily assigned to a computer• Turned in when not in use so that other computers can use it
• Dynamic DNS• Used to resolve a domain name to an IP address that may
change frequently (dynamic IP)• Dynamic IP addresses present a problem for DNS resolutions• Abused by cyber criminals
• Help in bypassing IP blacklisting• Domain names can continued to be used by employing constantly-
changing IP addresses
10
Important Terminology to Know
• Denial of Service (DoS) Attack• An attack against a computer or network that causes the
computer or network to be inaccessible for a period of time
• Botnet• Large network of computers controlled by a small number
of computers (C2 – Command & Control)
• Distributed DoS (DDoS) Attack• Use of Botnet to overwhelm a computer network with
inbound traffic in order to make the network inaccessible
12
Important Terminology to Know
• Ransomware• Malware installed on a computer
• Gives the installer the ability to lock a computer remotely• Malware often generates a pop-up window, webpage, or email warning
• Looks like it comes from an official authority• Holds your computer hostage until you pay a fee to get it unlocked
13
Ransomware
• How is ransomware installed?• User opens a malicious email attachment or clicks a malicious link
• E-mail message • Instant message • Social networking site
• Can also be installed when a user visits a malicious website
14
Ransomware
• Defense against Ransomware• Maintain software patches and AV protection• Backup your important data and programs
• Recovery• Pay ransom and pray decrypt code is provided• Restore to a good pre-infection backup
15
Important Terminology to Know
• Advanced Persistent Threat (APT)• an unauthorized person gains access to networks and stay there
undetected for long periods of time
• Consider five signs of possible APT attacks
16
APT Sign #1
• Abnormal logon activity• High volume of elevated log-ons
• Outside normal work hours • Attackers may live in different time zones• Intentionally avoid detection when system is being watched
• Use of old, unused accounts• Account names don’t match current naming convention• Administrative accounts
17
APT Sign #2
• Widespread backdoor Trojans• Used to ensure intruders can always get back in• Often deployed through social engineering
• E-mail from a known account that has been compromised• Malicious attachment
• Spear phishing
18
APT Sign #3
• Unexpected data flows• Large, unexpected flows of data from internal origination points to:
• Other internal computers• Unexpected external computers
• In order to detect APT, you have to know what normal looks like
19
APT Sign #4
• Discovering unexpected data bundles• APTs often aggregate stolen data to internal collection points before
moving it outside• Look for large chunks of data in places where that data should not be
• For example: compressed archive files not normally seen• ACE, Zip, RAR
20
APT Sign #5
• Pass-the-hash hacking tools left behind• Pass-the-hash - technique that allows a hacker to
authenticate to a remote server/service• Uses the underlying hash of a user's password • No need to know the associated plaintext password
• Hackers often forget to delete these tools • Available for discovery by network security sweeps
Internet - Recognizing Bad Things
• Indicators of a Scam• Too good to be true, MOST LIKELY IT IS A SCAM!• Scams are started in a variety of ways
• unsolicited email messages• online relationships• online advertisements• online job offers• online purchases, auctions, etc.• unsolicited phone calls
• Use of difficult-to-trace money transfer services • Western Union, GreenDot, BitCoin, other uninsured online currencies
• Use of foreign countries for movement of money
22
Internet - Recognizing Bad Things
• Indicators of a Scam• Sending payment to someone other than the seller• Accepting payment from someone other than the buyer• Payment is significantly MORE than the selling price• Winning the lottery that you did not enter• Asked to pay money to receive a large inheritance• Job ads
• Paid a commission for accepting money transfers• Paid a commission for cashing checks
• Change their story to counter your objections• Want to make you feel sympathy for them and guilt for not helping
31
Internet – Determine Authenticity
• Reading e-mail headers• Viewing full headers vs. normal headers• Bottom up is the key
32
Internet – Determine Authenticity
• Tracking Tools• Whois
• Look up ownership of Internet identifiers• Domain names• IP addresses
• Ping• Traceroute• Reverse IP
Man-in-the-Email Scenario 1
Spoofing e-mail header to establish bona fideso Introduce new player who will conduct the transactionso New player now acts on behalf of your boss
• Transfer money for accounts payable• Account given is owned by scammers
o Money is transferred to scam account• Likely somewhere off shore
40
Man-in-the-Email Scenario 2
Same as Scenario 1 except it began with a telephone call and was followed up by the e-mail spoofing the CEO’s e-mail addresso Third person introduced to conduct transactionso Employee was instructed to talk to no one about this
project which was a special assignment directly from the CEO.
o Multiple money transfers under $10k were used to “avoid security checks”.
41
Man-in-the-Email Scenario 3
Intercept legitimate e-mail traffic Insert yourself into the e-mail conversation using a
domain that looks very similar to the legitimate domaino Include previous message thread so that it looks like a
continuous communication Change payment information
o Divert payment to an account controlled by scammer(s)
47
Reverse Social Engineering
Power Company Intrusiono Vulnerable billing system
Gathered data on target’s customerso Customer Nameo Addresso Telephone #o E-mail addresseso Account #o Billing information
• Due dates, amounts due, recent payment history, etc.
48
Reverse Social Engineering-continued-
Used caller ID spoofing to spoof customer telephone numbers for easier account access
Armed with all the customer data they had gathered, the scammers now called the customers by making the scammers appear to be the Power Company
Called customers and said their most recent bill hadn’t been paid and power will have to be shut off if payment isn’t received within 30 minuteso Used data acquired from Power Company intrusion to authenticate with customero Provided two options for making payment within 30 minutes
• Go to nearest customer service center (always more than 30 minutes away)• Go to CVS and purchase GreenDot card and provide card info to make payment
49
Hop Points
One objective of APT is to acquire and use Hop Points to remain undetected
Means to avoid raising suspicions based on IP addresseso Hop Points can be geographically near targeto Network entry and data exfiltration
Otherwise non-descript computers can be used to facilitate the undetectable theft of trade secrets and other National Security information
50
The Big Cases2014 - present
Target, Home Depot, Sony, Anthemo Intrusions that compromise enormous amounts of
Personally Identifiable Information• Adversaries use data to identify government and military
personnel• Criminals use data to capitalize it
Sell data to other criminals Create fake credit cards for ATM and POS transactions Use for online purchasing Steal identities
o Revenge/coercion• Sony, for example
51
The Big Cases2014 - present
Realized harmo Damage to company reputationo Damage to U.S. economyo Consumer distrust of e-commerce
• Usually an uninformed distrust Point-of-Sale (POS) data compromised rather than Internet sale data
If you make yourself a target, you WILL BE COMPROMISED!!!
Investigating Internationally
What to do when the criminals operate exclusively beyond U.S. borders?o Establish global law enforcement presence
• FBI Legal Attaches (LEGAT) Global coverage from more than 60 embassies
• Interpol• Mutual Legal Assistance Treaties (MLAT)
53
Romanian Phishing Case Study
Case begins in June 2005 o InfraGard member received a phishing e-mail from Peoples
Banko Member did not have an account with Peoples Bank and
immediately recognized it as phishing A spoofed e-mail address and images were created
to produce look and feel of Peoples Bank E-mail contained a link to a phishing web site
unwittingly hosted in Minnesota
54
Romanian Phishing Case Study Unwitting owner of phishing web site provided copies of files
used to produce the web siteo From the scripts, it was determined that phished data was sent to an
e-mail collector account, [email protected] Search warrants and subpoenas to Yahoo! and various ISPs revealed a
connection to Romania
55
Romanian Phishing Case Study Investigative assistance provided by Peoples Bank revealed
numerous ATM withdrawals made in Romania using phished data
The LEGAT in Bucharest brought into the investigationo The LEGAT worked closely with the Romanian National Police (RNP) in
a joint investigation
56
Romanian Phishing Case Study Joint international investigation
o Allowed informal sharing of information outside of the burdensome and time-consuming MLAT process• MLAT process was still necessary for the collection of
evidence that could be legally used for prosecutiono More than 20 Romanian citizens were identified as
being involved in phishing schemes• Identifications based on
Numerous search warrants to Yahoo!, Google, and other U.S. ISPs Corroboration of Romanian IP addresses and official identification
documents by the RNP
57
Romanian Phishing Case Study Timeline
o 13 Jun 2005 – case begins from e-mail receipto Aug 2005 – first of many search warrants issuedo 18 Jan 2007 – seven Romanians indicted in CTo Feb 2007 – Interpol Red Notices issuedo 6 Jun 2007 – First arrest (OINR) made in Bulgaria
• OINR was transiting Bulgaria for vacation in Turkeyo 8 Nov 2007 – extradition of OINR from Bulgariao 17 Apr 2008 – FBI investigative technique in phishing case
helps RNP locate their subject in an eBay fraud caseo 19 May 2008 – FBI Los Angeles indicts 33 in similar case and
CT case gets unsealed due to overlap
58
Romanian Phishing Case Study Timeline – continued –
o 22 Jul 2008 – OINR is convicted of phishing chargeso 20 Jan 2009 – PBB arrested in Canada
• Had moved from Romania to Canada during investigation
o 30 Mar 2009 – OINR sentenced to 50 months in U.S. prisono 18 Jul 2009 – CIT arrested in Croatia
• Was working on a cruise ship that had docked there
o 8 May 2009 – Signing ceremony for the “Protocols of Exchange of Instruments of Ratification for the U.S.-Romania Mutual Legal Assistance Protocol and the U.S.-Romania Extradition Treaty”• Extradition Treaty updated
60
Romanian Phishing Case Study Timeline – continued –
o 4 Sep 2009 – CIT arrives in CT without contesting extraditiono 25 Sep 2009 – PBB extradited from Canadao 14 Jan 2010 – CIT pleads guilty to CAN-SPAMo 18 Feb 2010 – CIT sentenced to 7 monthso 5 Aug 2010 – PBB pleads guilty to phishing chargeso 10 Nov 2010 – fourteen new indictmentso Between Dec 2011 and Nov 2013, nine Romanians were
arrested and extradited directly from Romania
61
Romanian Phishing Case Study Timeline – continued –
o 3 Dec 2012 – NDD pleads guilty at jury selectiono Dec 2012 – BB only defendant to go to trial
• Convicted on both counts charged
o 15 May 2013 – IS arrested in Swedeno 10 Jun 2013 – BB sentenced to 80 monthso 13 Jun 2013 – NDD sentenced to 78 monthso 12 Sep 2013 – IS extradited to CTo 23 Apr 2014 – IS pleads guiltyo 17 Jun 2014 – PBB sentenced to 22 monthso 8 Jul 2014 – IS sentenced to 45 months
62
Romanian Phishing Case Study Results
o 13 Arrests• 1 Bulgaria, 1 Canada, 1 Croatia, 9 Romania, 1 Sweden• None had ever been to the United States
o 13 Extraditions from 5 different countrieso 13 Convictions
• 12 guilty pleas and 1 at trial
o 13 Sentences ranging from 7 – 80 months• Average around 50 months
o First extradition for computer crimes committed by someone who had never been to the U.S.
o First extraditions directly from Romania of Romanian citizens
Reaching out to Law Enforcement
• Who, what, where, why, when, and how• Who
• KNOW IN ADVANCE WHO YOU WILL CALL!!!• Large Businesses
• FBI, USSS, Postal Inspectors, State Police
• Small Businesses• IC3, State Police, FBI, USSS, Postal Inspectors
• Individuals• IC3 (www.ic3.gov), Local Police, State Police
• Call a known person• Calling publically listed numbers is BAD PLANNING!• Verify at least annually your contact information
64
Reaching out to Law Enforcement
• What• Computer intrusions and Internet-facilitated criminal activities
• Loss or no loss• National Security investigation• Criminal investigation, if loss is significant• Referral to other resources (e.g. IC3)
• If loss is less significant• Intelligence collection
• Valuable in all cases of mischievous cyber activity
65
Reaching out to Law Enforcement
• Where• Agency responsible for
• Location of intrusion• where are the computers?
• Location of Subject• Often not known until deep into investigation
• Company headquarters• If HQ is better equipped to assist with investigation
66
Reaching out to Law Enforcement Why
o Because the security of the Internet is a global community concern• All of us need to work together on this• A secure Internet will boost every legitimate business• A non-secure Internet may knock out some competition, but the bottom
line of the survivors will not reap the benefits that a secure Internet can provide
67
Reaching out to Law Enforcement
Wheno After the dust settles
• Law enforcement is not equipped to be a first-responder for cyber incidents
• Too many proprietary variableso Executing business continuity plan is criticalo Collect as much information as you can before calling law
enforcement• Once law enforcement becomes involved, restrictions on gathering
evidence may attach• More information will help to determine if an investigation will be
opened and what, if any, public exposure the victim may face
68
Reaching out to Law Enforcement
Howo However you had it planned
• Work day, work hours• Work day, after hours• Weekend• Holiday• POC on vacation
@FBI
Federal Bureau of Investigation
FBI – Federal Bureau of Investigation
www.fbi.gov