Making Architectural Decisions to Disrupt the Economics of Cyber Attacks

Mike Viscuso

CTO at Carbon Black

March 7, 2017

Security products built by security experts

Michael Viscuso

Co-founder & SVP Products

Co-founded Carbon Black in 2011 to

defend against offensive attacks he

personally used

Business-minded technologist with

significant offensive security

experience

Roles at the NSA / defense contractors

• Pentesters

• Incident Responders

• Architecture & Operations

• Malware Analysis & Forensics

• Offensive security

33% of product team have

practitioner experience

I © 2016 Carbon Black. All Rights Reserved. 2

1

2

3

4

5

How Criminals Think About Crime

Business is Booming

Shifting Market Trends

Put Your Black Hat On

Architectural Changes You Can Make

AGENDA

How Do Criminals Think About Crime?

I © 2016 Carbon Black. All Rights Reserved. 4

The Criminal Equation

I © 2016 Carbon Black. All Rights Reserved. 5

The Criminal Equation

What do I get by committing this crime?

I © 2016 Carbon Black. All Rights Reserved. 6

What do I stand to lose if I get caught?

What are the chances I’ll get caught and convicted?

In other words…

What are the net benefits of entering a new market or building a new product?

I © 2016 Carbon Black. All Rights Reserved. 7

What are the opportunity costs of staying with our existing portfolio?

What is the probability of success?

You should start thinking of these people…

I © 2016 Carbon Black. All Rights Reserved. 8

Like these people…

I © 2016 Carbon Black. All Rights Reserved. 9

2

1

Cybercriminals think just like businesses do

I © 2016 Carbon Black. All Rights Reserved. 10

How do I increase revenue potential?

How do I decrease costs and risk?

I © 2016 Carbon Black. All Rights Reserved. 11

Source: RAND / Juniper

Source: RAND / Juniper

I © 2016 Carbon Black. All Rights Reserved. 12

To get some perspective…

Source: RAND / Juniper

I © 2016 Carbon Black. All Rights Reserved. 13

Google’s Income Sheet

I © 2016 Carbon Black. All Rights Reserved. 14

Source: Yahoo Finace

Google Employs 57,000+ Employees

Source: Business Insider

I © 2016 Carbon Black. All Rights Reserved. 15

Let’s do some math…

• Cyber Crime (CC) is more profitable than the illicit drug trade ($2.1T)

CC > $2,100,000,000,000

• Cocaine (Coc) is $85B of that illicit drug trade

Coc = $85B

• Google (GOOG) brought in “just over” $90B in revenue in the last 12 months and

employed 57,000 people. Google’s profit (GOOGp) per employee would be:

GOOGp = $90,000,000,000 / 57,000 employees = $1.5M / employee

• Using this info, we can estimate how many people are involved in Cyber Crime

Size of CC (in people) > $2,100,000,000,000 / $1,500,000 = 1,400,000 people

I © 2016 Carbon Black. All Rights Reserved. 16

~1.4 million people involved in cybercrime

It’s more than a business…

I © 2016 Carbon Black. All Rights Reserved. 17

It’s an economy

Source: RAND / Juniper

I © 2016 Carbon Black. All Rights Reserved. 18

I © 2016 Carbon Black. All Rights Reserved. 19

2

1There are more attacks

today than ever

Attacks today are more

sophisticated

Specialization in the cyber black market drives thisSource: Verizon DBIR, 2016

The economics are changing for developers

"You’re basically selling commercial software, like anything else. It needs to be polished and come with documentation. The only difference is that you only sell one license, ever, and everyone calls you evil.“

GrugqBangkok-based security

researcher and exploit broker

I © 2016 Carbon Black. All Rights Reserved. 20

Source: Forbes.com

Approximate pricing, 2012

Android Remote Code Execution (RCE) 0-day

I © 2016 Carbon Black. All Rights Reserved. 21

Source: Forbes.com

Posted June, 2015

12.0455 Bitcoin =

~$7,000 US

Windows Local Privilege Escalation 0-day

I © 2016 Carbon Black. All Rights Reserved. 22

Source: Forbes.com

Posted June, 2015

12.0451 Bitcoin =

~$7,000 US

Like in any market, current trends fade and new ones take their place

I © 2016 Carbon Black. All Rights Reserved. 23

Radamant Ransomware Kit

I © 2016 Carbon Black. All Rights Reserved. 24

One month rental price: $1,000 USD

Average malware price: $10 USDSource: bleepingcomputer.com

I © 2016 Carbon Black. All Rights Reserved. 25

Service Price

Botnet rentals

Direct denial of service (DDoS) $535 for 5 hours a day for one week

Email spam $40 / 20K emails

Web spam $2 / 30 posts

Onshore and offshore hosting - virtual private

servers$6 per month

Bulletproof/fast flux hosting

(VPNs and reverse proxies)$3 per month

Complex Botnets: Features include broadcast

command and control, keylogging, download, and

spam

Examples include…

Zeus/Zbot: $700 for old version, $3,000 for new

Butterfly: $900

Simplified botnets: Features include download and

execute malicious code.

Used primarily for rentals/crime-as-a-service

Examples include…

Bredolab: Starts at $50

Source: Infosec Institute

Botnet rentals

I © 2016 Carbon Black. All Rights Reserved. 26

Source: Infosec Institute

Look familiar?

I © 2016 Carbon Black. All Rights Reserved. 27

Product packaging and

tiered pricingSource: Infosec Institute

Look familiar?

I © 2016 Carbon Black. All Rights Reserved. 28

Upgrades and add-on

featuresSource: Infosec Institute

Look familiar?

I © 2016 Carbon Black. All Rights Reserved. 29

Bulk discounting

Source: Infosec Institute

How do you make money from a $450 botnet rental?

I © 2016 Carbon Black. All Rights Reserved. 30

Get your notebooks out now

I © 2016 Carbon Black. All Rights Reserved. 31

It’s This Easy

I © 2016 Carbon Black. All Rights Reserved. 32

Pick a Target

I © 2016 Carbon Black. All Rights Reserved. 33

For the lazy: Automation through LinkedIn APIs

I © 2016 Carbon Black. All Rights Reserved. 34

Source: LinkedIn Developers Page

Send a Request!

I © 2016 Carbon Black. All Rights Reserved. 35

This isn’t any ordinary request…

I © 2016 Carbon Black. All Rights Reserved. 36

Domain Registration

Valid-Looking Domains

I © 2016 Carbon Black. All Rights Reserved. 37

Domain Registration

For the cost of a Big Mac

I © 2016 Carbon Black. All Rights Reserved. 38

Login to “LinkedIn”

I © 2016 Carbon Black. All Rights Reserved. 39

Enumerate for a Vulnerability I Can Leverage….

I © 2016 Carbon Black. All Rights Reserved. 40

Exploit Executed...

I © 2016 Carbon Black. All Rights Reserved. 41

No vulnerabilities? No problem.

I © 2016 Carbon Black. All Rights Reserved. 42

If I Can Access Your Email….

I © 2016 Carbon Black. All Rights Reserved. 43

I Can Access Your Bank Account...

I © 2016 Carbon Black. All Rights Reserved. 44

And I Most Likely Can Access...

I © 2016 Carbon Black. All Rights Reserved. 45

Reality

I © 2016 Carbon Black. All Rights Reserved. 46

Changing Disruption Methodology

I © 2016 Carbon Black. All Rights Reserved. 47

The traditional economics literature on crime has suggested that increasing the punishment for crime or increasing the probabilities of arrest and conviction would reduce the frequency of crime… [Deterrence] has not, however, exhibited a great deal of historical impact…

“

Case Study: Credit Card Fraud Detection

I © 2016 Carbon Black. All Rights Reserved. 48

2007

Source: Rolling Stone Magazine

Case Study: Credit Card Fraud Detection

I © 2016 Carbon Black. All Rights Reserved. 49

2007

2015

Source: Rolling Stone Magazine

Source: McAfee

98.3%Reduction in price per

credit card number

I © 2016 Carbon Black. All Rights Reserved. 50

We’ve all experienced why.

Evaluates each transaction

relative to all past activity,

identifying unusual

attributes

Contacts user or denies

card in real time if activity is

suspicious

Records every transaction and

runs through a central

analytics engine

Correlation occurs across all

cards with similar attributes to

preempt future fraud

EVENT

STREAM

PROCESSING

The TECHNOLOGY Behind Fraud Detection

I © 2016 Carbon Black. All Rights Reserved. 51

How it was done before…

I © 2016 Carbon Black. All Rights Reserved. 52

Agents sift through a daily report to uncover fraud

Source: StreamBase Blog

How it happens today

I © 2016 Carbon Black. All Rights Reserved. 53

Fraud is detected within milliseconds

Source: StreamBase Blog

I © 2016 Carbon Black. All Rights Reserved. 54

This is exactly how you are going to change your architecture to prevent cybercrime.

OLD SYSTEM

Scanning through a daily report to spot fraud

NEW SYSTEM

Real-time fraud detection and response

I © 2016 Carbon Black. All Rights Reserved. 55

Traditional

Antivirus

• Point-in-time prevention

• Evaluates individual files

• Stops known malware only

Next-Generation

Antivirus

• Streaming prevention

• Evaluates event sequences

• Stops malware and non-malware

I © 2016 Carbon Black. All Rights Reserved. 56

MACHINE-LEARNING AV

FILES ONLY

STREAMINGPREVENTION

FILES + ATTACKS

LEGACY AV

FILES ONLY

I © 2016 Carbon Black. All Rights Reserved. 57

MALWARE + NON-MALWARE PROTECTION

NON-MALWARE ATTACKS ON THE RISE

47%OF BREACHES USE

MALWARE

53%OF BREACHES ARE

NON-MALWARE

MALWARE ATTACKS NON-MALWARE ATTACKS

KNOWN UNKNOWN RANSOM OBFUSCATED MEMORY MACROS REMOTE

LOGIN

POWERSHELL

I © 2016 Carbon Black. All Rights Reserved. 58

SANS: Defining Next-Generation Antivirus (NGAV)

1. Prevent malware attacks

2. Prevent non-malware attacks

3. Detection and response

4. Context and visibility

I © 2016 Carbon Black. All Rights Reserved. 59

Gartner Agrees

I © 2016 Carbon Black. All Rights Reserved. 60

Competitive Landscape: Endpoint Detection and Response ToolsJanuary 5, 2017Note: Graphic was created using data from Gartner’s 3Q16 information security Forecast and Competitive Landscape estimates.

Source: Gartner (January 2017)

EPP with EDR

Next-Generation Antivirus

VISIBILITYRecords every endpoint event and analyzes event sequences in real time

I © 2016 Carbon Black. All Rights Reserved. 61

Next-Generation Antivirus

DETECTIONIdentifies irregular event sequences by matching against “normal” ones; collates data from every endpoint to increase accuracy

I © 2016 Carbon Black. All Rights Reserved. 62

Next-Generation Antivirus

PREVENTIONAlerts admins of suspicious behaviors; automatically prevents any event when its risk exceeds acceptable thresholds

I © 2016 Carbon Black. All Rights Reserved. 63

Next-Generation Antivirus

RESPONSEVisualizes the attack chain to uncover point-of-entry; helps you identify and implement patches or compensating controls

I © 2016 Carbon Black. All Rights Reserved. 64

OUR VIEWPOINTCb Defense converges prevention, detection and response

1. Prevent malware attacks

2. Prevent non-malware attacks

3. Detection and response

4. Context and visibility

I © 2016 Carbon Black. All Rights Reserved. 65

Next-Generation Antivirus

What you can expect

I © 2016 Carbon Black. All Rights Reserved. 66

Acceleration in

time to respond

Prevention

coverage

Reduction in time

to detect a breach

Reduction in

re-imaging needs

98.8% 99% 99.3% 100%

THANKS

Follow us!

@MichaelViscuso

@CarbonBlack_Inc

I © 2016 Carbon Black. All Rights Reserved. 67