Seven Hackers

Tom Gilheany, CISSPTwitter: @TomGilheanyhttp://gilheany.netLoading

_

1

Cyber Securityintroductory seminar

DefendersToolsLaws & Regs.

7 HackersTarget: YOUAttacks

The seven hackers you will encounter in the wilds of the internetSEVEN HACKERS_

SEVEN HACKERS

http://map.ipviking.com/

Norse tracks >50,000 attacks per second.10,000 new species/variants of malware per day

1 Billion IP AddressesOperates in 47 countries6,000 common types of devices attacked.

4

SEVEN HACKERS

http://map.ipviking.com/

Norse tracks >50,000 attacks per second.10,000 new species/variants of malware per day

1 Billion IP AddressesOperates in 47 countries6,000 common types of devices attacked.

5

SEVEN HACKERS

http://map.ipviking.com/

Norse tracks >50,000 attacks per second.10,000 new species/variants of malware per day

1 Billion IP AddressesOperates in 47 countries6,000 common types of devices attacked.

6

SEVEN HACKERS

Attacks are EVERYWHERE

YOU are the TARGETIntended or Not!

http://map.ipviking.com/

Norse tracks >50,000 attacks per second.10,000 new species/variants of malware per day

1 Billion IP AddressesOperates in 47 countries6,000 common types of devices attacked.

7

SEVEN HACKERS

?

?

?

?

?

?

?

YOU MAY BE ASKING:Who would want to attack ME?Who ARE these people?Whats their MOTIVATION?_

8

SEVEN HACKERS

?

?

?

?

?

?

?

SEVEN HACKERS

?

?

?

?

?

?

?

1: SCRIPT KIDDIES

WHO ARE THEY?Limited Technical KnowledgeUse downloaded software kits.Some kits = advanced damage!Unaware or do not care about consequences.

MOTIVATIONS:ImmaturityEgo-BoostingThrill Seeking.

EXAMPLE:

The Movie Wargames1983, MGM Pictures

1: SCRIPT KIDDIES

2: CYBER-PUNKS

WHO ARE THEY? High-Tech, Low-LifeDisregard for Authority, Societal Norms Cultural RebelsHard-Boiled Hacker with Anarchist TendenciesMore technically sophisticated than Script-KiddiesCounts on Slap on the WristPredominantly 12-18yo MalesTechno-Revolutionary, Manifestos, Rave/TechoMOTIVATIONS:Recognition from Peers, Respect (or fear) from the systemCling to a cult of individualism, in a culture characterized by corporate control and mass conformity.

2: CYBER-PUNKS

EXAMPLE: High-Tech Low-Life

The Matrix1999, Warner Bros.

The Matrix, 1999, Warner Brothers.Image 1 is from a fan site, identifying the various pieces of technology used as props. (Original screen does not have the number overlays).Image 2 & 3 are screen captures posted by fansites.All images 1999, Warner Brothers Pictures.

14

3: HACTIVISTS

WHO ARE THEY?Defacing or DDoSing sites, claiming civil disobedience.Individuals & loosely organized groups/mobs distributed across the internet.May be from other categories, Hacktivism as justification.

MOTIVATIONS:Revenge, Power, Greed, Marketing, Media AttentionVigilante JusticePolitical Agenda

3: HACTIVISTSEXAMPLE: Anonymous

4: THIEVES

WHO ARE THEY?Common Criminals (part-time)Credit Cards, BitCoin, Wire TheftIdentity TheftIntellectual Property TheftService Theft (AWS, VoIP, Storage)Organized CrimeLarge ScaleSophisticatedHired Teams: SpecialistsTheft of ANYTHING of value

MOTIVATIONS:MoneyGreed

Whats in YOUR wallet???

17

4: THIEVES

EXAMPLE:Petty Organized Crime.

2001, Warner Bros.

5: MALWARE WRITERS

WHO ARE THEY?Adolescent College Student Adult Ex-WriterSkill varies.Writer may not be one who releases it into the wild.

MOTIVATIONS:Mental Challenge AttentionRaw Thrill Bragging Rights

5: MALWARE WRITERS

EXAMPLES:

https://krebsonsecurity.com/2013/04/who-wrote-the-flashback-os-x-worm/

https://www.trustwave.com/Resources/SpiderLabs-Blog/Hacking-a-Reporter--Writing-Malware-For-Fun-and-Profit-%28Part-1-of-3%29/

https://grahamcluley.com/2014/11/write-regin-malware/

http://www.scmagazine.com/russian-man-claims-he-wrote-target-pos-malware-as-a-security-program/article/330337/

Motivations of Malware CreationMalware writers can have various reasons for creating and spreading malware. The following are common reasons:

1. Fun/Hobby/Spreading of ideologicalSome malware writers consider their creations to be works of art, and see malware writing as a creative hobby.

2. Jocks/PranksPranks are harmless that merely display an annoying message to programs that can destroy files or disable a computer altogether.

3. Showing computing knowledge/ Gaining respectA widely spread malware and is observed by mass media can show malware writers knowledge and gain great respect in a small group of like-minded people.

4. Industrial espionageObtaining secret information about a company by using weaknesses and defects in the company's IT-system is something that is quite common today.

5. Experimental/ Research/Proof of ConceptsMalware are written in laboratories and research facilities for experimental or research purpose. Most of these malware do not spread. Usually malware in labsand research facilities test systems is called in-the-field. Others malware that have been found infecting users computers worldwide in real world are called in-thewild.

6. Vandalism/GraffitiThe intentional destruction of property is popularly referred to as vandalism. It includes behavior such as breaking windows, slashing tires, spray painting a wallwith graffiti, and destroying a computer system through the use of a computer malware. Vandalism is a malicious act and may reflect personal ill will, althoughthe perpetrators need not know their victim to commit vandalism.

7. RevengeThere are always employees who are not particularly satisfied with their employer. When a programmer or system administrator about to be fired from a job mayleave behind backdoors or software "time bombs" that will allow them to damage the former employer's systems or destroy their own earlier work.Malware are used to attack the products of specific companies or web sites. According to the FBI, revenge from employees is a very common reason for ITrelatedcrimes.

8. Political messageMalware which infects executable files on compromised computers and displays a political message when launched. This type of malware usually targets particulargovernment organizations.

9. Profit/Financial gain/ExtortionMost malware writers motivated by profit/financial gain are more and more likely to be working with spammers and hackers. One of the most common methods isby stealing sensitive information which is then sold on the black market to criminal organizations to make a profit.Some Malware will encrypt some of your files on your computer then it leaves a message to contact a certain email address with a reference number so that you canbuy back your own files.

20

6: PROFESSIONALS

WHO ARE THEY?VERY Sophisticated Creators of Advanced Persistent Threats.Custom, High-Threat Attacks.Avail. for-hire Org. Crime, foreign governments.Advanced TrainingClandestine(Ex?)IntelligenceCyber Warfare Recon. & Intel.

MOTIVATIONS:Profession

6: PROFESSIONALS

PLA Unit #61398,and #61486

Joe McReynolds, a researcher of China's network warfare and capabilities for the USCenter for Intelligence Research and Analysis

Chinese Professional Hacking (3 groups): [1] Specialized military network warfare forces -- focus on carrying out network cyberattacks and defense. (PLA Unit#61398, 12-storey building). [2] Unit of civilian teams granted the go-ahead by the Chinese military to carry out "network warfare operations. [3] Umbrella Unit for "external entities" which "can be organized and mobilized for network warfare operations," but act outside of government departments.

Each unit targets US companies in order to steal valuable data related to business and trade.This, in turn, can give Chinese firms a boost in the global economy._____________________________________________________

References:http://www.justice.gov/opa/pr/us-charges-five-chinese-military-hackers-cyber-espionage-against-us-corporations-and-labor

http://www.zdnet.com/article/china-reveals-existence-of-cyber-warfare-hacking-teams/

Joe McReynolds, a researcher of China's network warfare and capabilities for the USCenter for Intelligence Research and AnalysisAccording to McReynolds, China's digital military strategy has been split up into three separate sections. One unit, called "specialized military network warfare forces," focus on carrying out network cyberattacks and defense. Secondly, another unit comprises of civilian teams which have been given the go-ahead by the Chinese military to carry out "network warfare operations." Finally, another unit acts as an umbrella for "external entities" which "can be organized and mobilized for network warfare operations," but act outside of government departments.The Chinese military expert says that each unit targets US companies in order to steal valuable data related to business and trade. This, in turn, can give Chinese firms a boost in the global economy.In May, the United States charged five Chinese nationals described as "military hackers" with breaking into US corporate networks to steal sensitive data. These men allegedly belonged to Unit 61398, the focus of a study conducted by FireEye's Mandiant cyberforensics team in 2013.The report claimed that a 12-story building associated with the PLA hosted this unit, which connects a number of sophisticated Chinese hacking groups including the "Comment Crew" and "Shanghai Group." Mandiant says that Unit 61398 was likely responsible for an "overwhelming" number of cyberattacks, whereas at the time Chinese officials dismissed the allegations as "groundless."

22

6: PROFESSIONALS

EXAMPLE:

7:CYBER-TERRORISTS

WHO ARE THEY?Extortionists.Cyber-Warfare / IntelligenceConnection to Physical World

MOTIVATIONS:PowerPoliticalExtortion=Greed

Example: SONY24

7:CYBER-TERRORISTS

EXAMPLE:

SEVEN HACKERSScript-KiddiesCyber-PunksHacktivistsThievesMalware WritersCyber-TerroristsProfessionals

NEW HACKER GROUPS?Growing Groups:Political ActivistsInsidersOrganized CrimeCyber Warriors

CYBER WARRIORS / CYBER-WARFARE:Identify Point-of-EntryGather Intelligence on Point-of-EntryCompromise Perimeter via Point-of-Entry- Execute Entry-plan: Targeted Spearphishing, Insiders, weak underbelly.ONCE INSIDE:Reconnoiter / Gather IntelligenceMap Terrain / ConnectivityIdentify Primary, Secondary TargetsIdentify VulnerabilitiiesIdentify Diversionary TargetsMap DefensesProfile Individuals, Applications, Behaviors to leverage (avoid detection, compromise systems).

Gain High Ground (acquire a position)Plan attack.Establish command-and-controlEstablish offsite place to exfiltrate information.Identify a buyer (or use-point for what is stolen a fence).Execute the attack-plan while avoiding detection and prevention.

CommunicationsDirector@issa-sv.org Add to social profiles & can re-tweet members news.27

NEW: Inside InsidersWide Range of Insiders:Begrudged EmployeeDevelopers/EngineersSales PeopleUnwittingly Co-Opted people.

LESSON: Have clear well-known policies on Intellectual Property (IP) protection!

CYBER WARRIORS / CYBER-WARFARE:Identify Point-of-EntryGather Intelligence on Point-of-EntryCompromise Perimeter via Point-of-Entry- Execute Entry-plan: Targeted Spearphishing, Insiders, weak underbelly.ONCE INSIDE:Reconnoiter / Gather IntelligenceMap Terrain / ConnectivityIdentify Primary, Secondary TargetsIdentify VulnerabilitiiesIdentify Diversionary TargetsMap DefensesProfile Individuals, Applications, Behaviors to leverage (avoid detection, compromise systems).

Gain High Ground (acquire a position)Plan attack.Establish command-and-controlEstablish offsite place to exfiltrate information.Identify a buyer (or use-point for what is stolen a fence).Execute the attack-plan while avoiding detection and prevention.

CommunicationsDirector@issa-sv.org Add to social profiles & can re-tweet members news.28

TARGET: AQUIRED

GENERAL MOTIVES: Understand yourself as a targetRevengeIs there anyone with an axe to grind?Would cost of a security breach be high?Brand DamagePolitical DamageCostly Fines or PenaltiesLoss of Information Assets/ControlNotorietyCould somebody get famous or gain street credibility for hacking your company, product, or service?CuriosityDo you have interesting information, computing environments or assets? (NASA, Computer-Game Company).

TARGET: AQUIREDFinancial Motives: Understand yourself as a targetBlack Market Price$:

Adwords: $1000 (to drain competitors AdWords Budget)

Botnets USA: $180 / 1,000 Computers Canada: $270 UK: $240 France: $200 Russia: $200 Worldwide: $35

Credit Cards Premium Big Balance: $250 Regular CC w/ SSN: $5

Doxing Someone: $25-$100

Health Insurance Info: $1200 - $1300

Twitter Followers: $15 / 10,000 Fake FollowsEmail Accounts Gmail: $200 / 1,000 Hotmail $12 / 1,000 Yahoo: $10 / 1,000

Facebook Likes: $15 / 1,000 Spam: $13 page w/ 30k fans

Hacked Webcams Male: $0.01 Female: $1

Online Bank Account USA: 2% Acct. Bal. EU 4%-6% Acct. Bal.

Online Funds to Cash: 9% - 40% CommissionPayPal Account: 6%-20% of Balance

Online Game Hackers: $16k/mo in China

Remote Admin Tool: $40 for Blackshades

Website Traffic: $1 for 1,000 Fake Visitors

Thought: If a hacker is selling access to compromisedcomputer for 18 cents, or gmail account for 20 cents,how much must it cost to break into that computer???

Prices Updated August 2014.

(What can be stolen / used for financial gain?)Information, ServicesInfo: For own use, to sell, or hold hostage.Customer InformationSoftware / Product and R&D DesignsFinancial RecordsKeys/Control Information to Hard AssetsPersonal/Private Information (photos, etc).ServicesComputing Power, Information Storage, ControlServices (Phone Service, Cloud)

If I am selling a compromised computer for 18 cents, or gmail account for 20 cents, how much must it cost to break into that computer?

30

HACKER MOTIVATIONSSkill Level

Revenge

Curiosity

Financial

Notoriety

+

+

+

+

NV: NoviceOG: Old Guard HackersCP: Cyber-PunksPA: Political ActivistsPT: Petty ThievesPC: Pro CriminalsIW: Info WarriorsIN: InternalsMW: Malware Writers

NV

OG

MW

IN

IW

PT

PC

PA

CP

SEVEN HACKERS

It is said that if youknow your enemiesand know yourself,you will not be imperiled in a hundred battles

-Sun Tzu, The Art of War (6th Century BC)

32

CyberSecurity Primer

DefendersToolsLaws & Regs.

7 HackersTarget: YOUAttacks

SEVEN HACKERS

Bibliography:

The Psyche of Cybercriminals: A Psycho-Social Perspective

Marcus K. Rogers

http://202.154.59.182/mfile/files/Information%20System/Cybercrimes%20A%20Multidisciplinary%20Analysis/Chapter%2014%20The%20Psyche%20of%20Cybercriminals%3B%20A%20Psycho-Social%20Perspective.pdf

34

SEVEN HACKERS

Bibliography:

Black Market Pricing:

http://www.havocscope.com/black-market-prices/hackers/

35

SEVEN HACKERS

Bibliography:

Live CyberAttack Map, courtesy of Norse CyberSecurity:http://map.ipviking.com/

Data Breaches (Bubble Infographic)http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/static/

36

SEVEN HACKERSScript-KiddiesCyber-PunksHacktivistsThievesMalware WritersCyber-TerroristsProfessionals

SEVEN HACKERS