microsoft digital crimes unit (dcu) fight against...
TRANSCRIPT
Microsoft Confidential
Microsoft Digital Crimes Unit (DCU) – Fight Against Cybercrime
Marja LaitinenSenior AttorneyMicrosoft Digital Crimes Unit Central and Eastern Europe
Microsoft Confidential
Cybersecurity is a Boardroom-level Issue
160MData records compromised
from top 8 breaches in 2015
556Mvictims of cybercrime
per year
$400Bcost of cyberattacks to
companies each year
71%of companies admit they
fell victim to a successful
cyber attack the prior year
$3 Trillionestimated cost in economic
value from cybercrime
industry by 2020
140+Median # of days between
infiltration and detection
Microsoft Confidential
Our Unique Perspective
300B user authentications each month
1B Windows devices updated
200B emails analyzed for spam and malware
Microsoft Confidential
A Layered Approach to Security
Helping to protect our customers, our company, and our world
Growing threats demand a coordinated response:
• Cyber Security Services Engineering
• Digital Crimes Unit
• Information Security & Risk Management
• Microsoft Azure
• Microsoft Security Response Center
• Microsoft Threat Intelligence Center
• Office 365
• Windows & Devices Group
Cyber Defense Operations Center
Digital Crimes Unit (DCU)
The Microsoft Digital Crimes Unit is committed to fighting cybercrime around the globe.
We use our expertise in data analytics, cyberforensics, and law to strategically partner with
public and private organizations, law enforcement, and our customers – to protect the world from
digital harm.
In our work we focus on protecting vulnerable populations, and fighting malware and
reducing digital risk.
Microsoft Confidential
Protecting Vulnerable Populations
The Scheme:
• Fraudsters pose online and on phone as
tech support from high tech companies
including Microsoft
• A victim is often asked for remote
access and charged for unnecessary
technical services, and they may lose
money, personal information or be exposed
to malware
• DCU investigates tech fraud cases globally
building evidence to take action, and runs
Education programs through media,
Microsoft Retail Stores, and the Cybercrime
Center
www.support.microsoft.com/reportascam
Technical Support Scams
Microsoft Confidential
Protecting Vulnerable Populations
PhotoDNA has helped detect
millions of illegal images online
www.microsoft.com/photodna
Free cloud-based service
PhotoDNA
Over 100 organizations use the
technology to keep their
platforms safe
Illegal images are reported to
the National Center for Missing
and Exploited Children and other
appropriate authorities
Microsoft Confidential
Malware
DisruptionsDCU identifies targets,
investigates, and
orchestrates global
partnerships to take action
A Botnet is a network of
infected computers controlled by
a distance by cybercriminals.
This allows criminals to control
those computers remotely.
With a single botnet,
cybercriminals can commit
billions of illegal acts in a single
day.
Working with Law Enforcement and others to disrupt the criminal infrastructure
OPERATIONConficker
Botnet Takedowns and Malware Disruption Operations OPERATION
WaledacOPERATION
RustockOPERATION
KelihosOPERATION
ZeusOPERATION
NitolOPERATION
BamitalOPERATION
CitadelOPERATION
Sirefef
OPERATIONGame over
Zeus
OPERATIONBladabindi &
Jenxcus
OPERATIONSimda
OPERATIONRamnit
OPERATIONCaphaw
OPERATIONDorkbot
Feb 2010First MS takedown operation, proving the model of industry-led effortsDisconnected70,000-90,000 infected devices from the botnet
Botnet Worm sending SPAM
March 2011Supported by stakeholders across industry sectorsInvolved USand Dutch law enforcement, and CN-CERT
SPAM, in average 192 spam messages per compromised machine per minute
Sep 2011Partnership between Microsoft and security software vendorsFirst operation with named defendant
SPAM, Bitcoin Mining, DDoS attacks
March 2012Cross-sector partnership with financial servicesFocused on disruption because of technical complexity
Identity Theft / Financial Fraud
Sep 2012Nitol was introduced in the supply chain relied on by Chinese consumerssettled with operator of malicious domain
Malware Spreading, DDoS attacks
Feb 2013Bamital hijacked people’s search results, took victims to dangerous sitesTakedown in collaboration with Symantec, proactive notification and cleanup process
Advertising Click Fraud
June 2013Citadel committed online financial fraud responsible for more than $500Min lossesCoordinated disruption with public-private sector
Identity Theft / Financial Fraud
Dec 2013ZeroAccesshijacked search results, taking victims to dangerous sitesIt cost online advertisers upwards of $2.7 million each month
Advertising Click Fraud
June 2014Malware using Dynamic DNS for command. It involved password and identity theft, webcam, etc.Over 200 different types of malware impacted.
Identity Theft / Financial Fraud / Privacy Invasion
June 2014GameoverZeus(GOZ) was a banking Trojan
Worked in partnership with LE providing Technical Remediation
Identity Theft / Financial Fraud
July 2014Caphaw was focused on online financial fraud responsible for more than $250M in losses
Coordinated disruption with public-private sector
Identity Theft / Financial Fraud
Feb 2010Microsoft-lead model of industry-wide efforts to counter the threat
Botnet Worm sending SPAM and attempting to steal confidential data and passwords
Feb 2015Malware stealing credential information from banking websites. Configured to hide itself.
Credential Information Theft/Disabling Security Defenses
April 2015
Theft of personal information, including banking passwords, as well as installing and spreading other malicious malware.
Theft personal data/Install and spread other malware
December 2015
Used for Cybercriminal activities such as credential harvesting for financial fraud DDoS attacks and the downloading of malicious payloads.
Financial Fraud, DDoS Attacks
Dorkbot659 991
Used for cyber criminal
activities such as credential
harvesting for financial fraud,
DDoS attacks, and the
downloading of malicious
payloads. Disrupted in
cooperation with FBI and
international law
enforcement.
June 2014
Malware using Dynamic DNS
for command. It involved
password and identity theft,
webcam and other privacy
invasions.
Over 200 different types of
malware impacted by the take
down.
Identity Theft /
Financial Fraud /
Privacy Invasion
Bladabindi & Jenxcus452 515
Conficker682 897
February 2010
Botnet Worm
Ramnit114 062
February 2015
Credential Information
Theft/Disable Security
Defenses
Most Common Malware Threats in CEE 1-30 September 2016
Top Countries per Threat 1-30 September 2016
Conficker
Distinct IPs/
Country:
Russia 258 426
Ukraine 76 341
Romania 57 507
Hungary 40 757
Serbia 29 635
68%From CEE Conficker
infections
The top 5 countries
represent the
Dorkbot
Distinct IPs/
Country:
Russia 341 281
Ukraine 65 426
Belarus 59 713
Kazakhstan 58 899
Romania 28 715
83%From CEE Dorkbot
infections
The top 5 countries
represent the
Top Countries per Threat 1-30 September 2016
Top Countries per Threat 1-30 September 2016
B106
Distinct IPs/
Country:
Russia 111 586
Kazakhstan 74 574
Romania 52 328
Poland 24 313
Serbia 21 592
63%From CEE B106
infections
The top 5 countries
represent the
Top CEE Countries per Threat 1-30 September 2016
Ramnit
Distinct IPs/
Country:
Romania 53 752
Azerbaijan 23 014
Poland 12 820
Russia 9 211
Mongolia 7 137
93%From CEE Ramnit
infections
The top 5 countries
represent the
Microsoft Confidential
Microsoft is committed to building trust with governments and sharing security information
Government Security
Program objectives
Help protect
governments and their
citizens
Build trust and
transparency
Strengthen public-
private partnerships
Direct access to Microsoft
product and security resources
Access to Transparency Centers
to work with source code
Remote access to online source
code
Technical data, including
Microsoft Azure and O365
Information sharing about
threats and vulnerabilities
leveraging CTIP
Microsoft Confidential
The Microsoft SECURITY PLATFORM
Advanced Threat Protection
Anti-Spam / Anti-Malware
Message Encryption
Customer Lockbox
Data Loss Prevention
Windows Trust Boot
Device Guard
Credential Guard
Microsoft Passport
Windows Hello
Windows Defender ATP
Windows Update for Business
Enterprise Data Protection
Azure Active Directory
Azure Active Directory Premium
Azure Security Center
Azure Secure Store
Azure Key Vault
Advanced Threat Analytics
Cloud App Security
Intune
Windows Server 2016
SQL Server 2016
Microsoft Confidential
Protect Your Environment
Best practices
Invest in your platform Invest in your
instrumentation
Invest in your people
Maintain a well-
documented inventory of
your assets
Acquire/build the tools
needed to fully monitor
your network, hosts, and
logs
Establish relationships and
communication between
incident response team
and other groups
Define your security policy
with clear
standards and guidance
Proactively maintain
controls and measures,
and regularly test them for
accuracy and effectiveness
Adopt least privilege
admin principles; eliminate
persistent
admin rights
Use proper hygiene—
most attacks can be
prevented with timely
patches and antivirus
Maintain tight control over
change
management policies
Use the lessons learned to
gain value from every
major incident
Employ multi-factor
authentication to
strengthen protection of
accounts and devices
Monitor for abnormal
account and credential
activity to prevent abuse
Educate, empower, and
enlist users to recognize
likely threats and their
role in protecting business
data
Additional Information
• DCU Fact Sheet (http://news.microsoft.com/download/presskits/DCU/docs/dcuFS_160115.pdf)
• DCU on YouTube (https://www.youtube.com/user/DCUMicrosoft )
• DCU on Twitter (https://twitter.com/microsoftdcu)
• Avoiding Tech Support Scams (PDF) Brochure
https://ncmedia.azureedge.net/ncmedia/2016/03/TechSupportScams.pdf
• Microsoft on the Issues Blog (http://blogs.microsoft.com/on-the-issues/2015/09/30/microsoft-hosts-
renowned-id-theft-expert-to-kick-off-expanded-aarp-partnership-to-stop-tech-
scams/#sm.00012obcpy1ccqfgyxshvwqfatq4j)
• PhotoDNA Cloud Service (https://www.microsoft.com/en-us/PhotoDNA)
• PhotoDNA Fact Sheet
(https://ncmedia.azureedge.net/ncmedia/2016/08/PhotoDNAFactSheet1608221.pdf)
• Learn about Your and Your Family’s Online Safety
(https://www.microsoft.com/about/philanthropies/youthspark/youthsparkhub/programs/onlinesafety/)
• Install and Run Free Malicious Software Removal Tool (https://www.microsoft.com/en-
us/download/malicious-software-removal-tool-details.aspx?id=16)
Learn and Test
More on DCU
Useful Links