making architectural decisions to disrupt the economics of ... · let’s do some math… • cyber...
TRANSCRIPT
Making Architectural Decisions to Disrupt the Economics of Cyber Attacks
Mike Viscuso
CTO at Carbon Black
March 7, 2017
Security products built by security experts
Michael Viscuso
Co-founder & SVP Products
Co-founded Carbon Black in 2011 to
defend against offensive attacks he
personally used
Business-minded technologist with
significant offensive security
experience
Roles at the NSA / defense contractors
• Pentesters
• Incident Responders
• Architecture & Operations
• Malware Analysis & Forensics
• Offensive security
33% of product team have
practitioner experience
I © 2016 Carbon Black. All Rights Reserved. 2
1
2
3
4
5
How Criminals Think About Crime
Business is Booming
Shifting Market Trends
Put Your Black Hat On
Architectural Changes You Can Make
AGENDA
How Do Criminals Think About Crime?
I © 2016 Carbon Black. All Rights Reserved. 4
The Criminal Equation
I © 2016 Carbon Black. All Rights Reserved. 5
The Criminal Equation
What do I get by committing this crime?
I © 2016 Carbon Black. All Rights Reserved. 6
What do I stand to lose if I get caught?
What are the chances I’ll get caught and convicted?
In other words…
What are the net benefits of entering a new market or building a new product?
I © 2016 Carbon Black. All Rights Reserved. 7
What are the opportunity costs of staying with our existing portfolio?
What is the probability of success?
You should start thinking of these people…
I © 2016 Carbon Black. All Rights Reserved. 8
Like these people…
I © 2016 Carbon Black. All Rights Reserved. 9
2
1
Cybercriminals think just like businesses do
I © 2016 Carbon Black. All Rights Reserved. 10
How do I increase revenue potential?
How do I decrease costs and risk?
I © 2016 Carbon Black. All Rights Reserved. 11
Source: RAND / Juniper
Source: RAND / Juniper
I © 2016 Carbon Black. All Rights Reserved. 12
To get some perspective…
Source: RAND / Juniper
I © 2016 Carbon Black. All Rights Reserved. 13
Google’s Income Sheet
I © 2016 Carbon Black. All Rights Reserved. 14
Source: Yahoo Finace
Google Employs 57,000+ Employees
Source: Business Insider
I © 2016 Carbon Black. All Rights Reserved. 15
Let’s do some math…
• Cyber Crime (CC) is more profitable than the illicit drug trade ($2.1T)
CC > $2,100,000,000,000
• Cocaine (Coc) is $85B of that illicit drug trade
Coc = $85B
• Google (GOOG) brought in “just over” $90B in revenue in the last 12 months and
employed 57,000 people. Google’s profit (GOOGp) per employee would be:
GOOGp = $90,000,000,000 / 57,000 employees = $1.5M / employee
• Using this info, we can estimate how many people are involved in Cyber Crime
Size of CC (in people) > $2,100,000,000,000 / $1,500,000 = 1,400,000 people
I © 2016 Carbon Black. All Rights Reserved. 16
~1.4 million people involved in cybercrime
It’s more than a business…
I © 2016 Carbon Black. All Rights Reserved. 17
It’s an economy
Source: RAND / Juniper
I © 2016 Carbon Black. All Rights Reserved. 18
I © 2016 Carbon Black. All Rights Reserved. 19
2
1There are more attacks
today than ever
Attacks today are more
sophisticated
Specialization in the cyber black market drives thisSource: Verizon DBIR, 2016
The economics are changing for developers
"You’re basically selling commercial software, like anything else. It needs to be polished and come with documentation. The only difference is that you only sell one license, ever, and everyone calls you evil.“
GrugqBangkok-based security
researcher and exploit broker
I © 2016 Carbon Black. All Rights Reserved. 20
Source: Forbes.com
Approximate pricing, 2012
Android Remote Code Execution (RCE) 0-day
I © 2016 Carbon Black. All Rights Reserved. 21
Source: Forbes.com
Posted June, 2015
12.0455 Bitcoin =
~$7,000 US
Windows Local Privilege Escalation 0-day
I © 2016 Carbon Black. All Rights Reserved. 22
Source: Forbes.com
Posted June, 2015
12.0451 Bitcoin =
~$7,000 US
Like in any market, current trends fade and new ones take their place
I © 2016 Carbon Black. All Rights Reserved. 23
Radamant Ransomware Kit
I © 2016 Carbon Black. All Rights Reserved. 24
One month rental price: $1,000 USD
Average malware price: $10 USDSource: bleepingcomputer.com
I © 2016 Carbon Black. All Rights Reserved. 25
Service Price
Botnet rentals
Direct denial of service (DDoS) $535 for 5 hours a day for one week
Email spam $40 / 20K emails
Web spam $2 / 30 posts
Onshore and offshore hosting - virtual private
servers$6 per month
Bulletproof/fast flux hosting
(VPNs and reverse proxies)$3 per month
Complex Botnets: Features include broadcast
command and control, keylogging, download, and
spam
Examples include…
Zeus/Zbot: $700 for old version, $3,000 for new
Butterfly: $900
Simplified botnets: Features include download and
execute malicious code.
Used primarily for rentals/crime-as-a-service
Examples include…
Bredolab: Starts at $50
Source: Infosec Institute
Botnet rentals
I © 2016 Carbon Black. All Rights Reserved. 26
Source: Infosec Institute
Look familiar?
I © 2016 Carbon Black. All Rights Reserved. 27
Product packaging and
tiered pricingSource: Infosec Institute
Look familiar?
I © 2016 Carbon Black. All Rights Reserved. 28
Upgrades and add-on
featuresSource: Infosec Institute
Look familiar?
I © 2016 Carbon Black. All Rights Reserved. 29
Bulk discounting
Source: Infosec Institute
How do you make money from a $450 botnet rental?
I © 2016 Carbon Black. All Rights Reserved. 30
Get your notebooks out now
I © 2016 Carbon Black. All Rights Reserved. 31
It’s This Easy
I © 2016 Carbon Black. All Rights Reserved. 32
Pick a Target
I © 2016 Carbon Black. All Rights Reserved. 33
For the lazy: Automation through LinkedIn APIs
I © 2016 Carbon Black. All Rights Reserved. 34
Source: LinkedIn Developers Page
Send a Request!
I © 2016 Carbon Black. All Rights Reserved. 35
This isn’t any ordinary request…
I © 2016 Carbon Black. All Rights Reserved. 36
Domain Registration
Valid-Looking Domains
I © 2016 Carbon Black. All Rights Reserved. 37
Domain Registration
For the cost of a Big Mac
I © 2016 Carbon Black. All Rights Reserved. 38
Login to “LinkedIn”
I © 2016 Carbon Black. All Rights Reserved. 39
Enumerate for a Vulnerability I Can Leverage….
I © 2016 Carbon Black. All Rights Reserved. 40
Exploit Executed...
I © 2016 Carbon Black. All Rights Reserved. 41
No vulnerabilities? No problem.
I © 2016 Carbon Black. All Rights Reserved. 42
If I Can Access Your Email….
I © 2016 Carbon Black. All Rights Reserved. 43
I Can Access Your Bank Account...
I © 2016 Carbon Black. All Rights Reserved. 44
And I Most Likely Can Access...
I © 2016 Carbon Black. All Rights Reserved. 45
Reality
I © 2016 Carbon Black. All Rights Reserved. 46
Changing Disruption Methodology
I © 2016 Carbon Black. All Rights Reserved. 47
The traditional economics literature on crime has suggested that increasing the punishment for crime or increasing the probabilities of arrest and conviction would reduce the frequency of crime… [Deterrence] has not, however, exhibited a great deal of historical impact…
“
Case Study: Credit Card Fraud Detection
I © 2016 Carbon Black. All Rights Reserved. 48
2007
Source: Rolling Stone Magazine
Case Study: Credit Card Fraud Detection
I © 2016 Carbon Black. All Rights Reserved. 49
2007
2015
Source: Rolling Stone Magazine
Source: McAfee
98.3%Reduction in price per
credit card number
I © 2016 Carbon Black. All Rights Reserved. 50
We’ve all experienced why.
Evaluates each transaction
relative to all past activity,
identifying unusual
attributes
Contacts user or denies
card in real time if activity is
suspicious
Records every transaction and
runs through a central
analytics engine
Correlation occurs across all
cards with similar attributes to
preempt future fraud
EVENT
STREAM
PROCESSING
The TECHNOLOGY Behind Fraud Detection
I © 2016 Carbon Black. All Rights Reserved. 51
How it was done before…
I © 2016 Carbon Black. All Rights Reserved. 52
Agents sift through a daily report to uncover fraud
Source: StreamBase Blog
How it happens today
I © 2016 Carbon Black. All Rights Reserved. 53
Fraud is detected within milliseconds
Source: StreamBase Blog
I © 2016 Carbon Black. All Rights Reserved. 54
This is exactly how you are going to change your architecture to prevent cybercrime.
OLD SYSTEM
Scanning through a daily report to spot fraud
NEW SYSTEM
Real-time fraud detection and response
I © 2016 Carbon Black. All Rights Reserved. 55
Traditional
Antivirus
• Point-in-time prevention
• Evaluates individual files
• Stops known malware only
Next-Generation
Antivirus
• Streaming prevention
• Evaluates event sequences
• Stops malware and non-malware
I © 2016 Carbon Black. All Rights Reserved. 56
MACHINE-LEARNING AV
FILES ONLY
STREAMINGPREVENTION
FILES + ATTACKS
LEGACY AV
FILES ONLY
I © 2016 Carbon Black. All Rights Reserved. 57
MALWARE + NON-MALWARE PROTECTION
NON-MALWARE ATTACKS ON THE RISE
47%OF BREACHES USE
MALWARE
53%OF BREACHES ARE
NON-MALWARE
MALWARE ATTACKS NON-MALWARE ATTACKS
KNOWN UNKNOWN RANSOM OBFUSCATED MEMORY MACROS REMOTE
LOGIN
POWERSHELL
I © 2016 Carbon Black. All Rights Reserved. 58
SANS: Defining Next-Generation Antivirus (NGAV)
1. Prevent malware attacks
2. Prevent non-malware attacks
3. Detection and response
4. Context and visibility
I © 2016 Carbon Black. All Rights Reserved. 59
Gartner Agrees
I © 2016 Carbon Black. All Rights Reserved. 60
Competitive Landscape: Endpoint Detection and Response ToolsJanuary 5, 2017Note: Graphic was created using data from Gartner’s 3Q16 information security Forecast and Competitive Landscape estimates.
Source: Gartner (January 2017)
EPP with EDR
Next-Generation Antivirus
VISIBILITYRecords every endpoint event and analyzes event sequences in real time
I © 2016 Carbon Black. All Rights Reserved. 61
Next-Generation Antivirus
DETECTIONIdentifies irregular event sequences by matching against “normal” ones; collates data from every endpoint to increase accuracy
I © 2016 Carbon Black. All Rights Reserved. 62
Next-Generation Antivirus
PREVENTIONAlerts admins of suspicious behaviors; automatically prevents any event when its risk exceeds acceptable thresholds
I © 2016 Carbon Black. All Rights Reserved. 63
Next-Generation Antivirus
RESPONSEVisualizes the attack chain to uncover point-of-entry; helps you identify and implement patches or compensating controls
I © 2016 Carbon Black. All Rights Reserved. 64
OUR VIEWPOINTCb Defense converges prevention, detection and response
1. Prevent malware attacks
2. Prevent non-malware attacks
3. Detection and response
4. Context and visibility
I © 2016 Carbon Black. All Rights Reserved. 65
Next-Generation Antivirus
What you can expect
I © 2016 Carbon Black. All Rights Reserved. 66
Acceleration in
time to respond
Prevention
coverage
Reduction in time
to detect a breach
Reduction in
re-imaging needs
98.8% 99% 99.3% 100%
THANKS
Follow us!
@MichaelViscuso
@CarbonBlack_Inc
I © 2016 Carbon Black. All Rights Reserved. 67