Published on February 27, 2014
Security seminar Cyber incident dilemmas New challenges for cybercrime victims Can you make the right choice ? Luc Beirens Head Federal Computer Crime Unit © Luc Beirens - FCCU
Challenging cybercrime Challenging questions © Luc Beirens - FCCU
Cost & time to attack cyber space Cost & time to secure cyber space
New versions give you 72 hours to react after this : no more keys available
New dilemmas © Belgian Federal Computer Crime Unit
New dilemmas © Belgian Federal Computer Crime Unit © Luc Beirens - FCCU
New dilemmas © Belgian Federal Computer Crime Unit
Malware Malware Botnets Botnets Social engineering •Generic malware •Targetted malware •External botnet •Internal botnet •Role of social media •Focused on individual situation Social engineering © Luc Beirens - FCCU
Cheap” versions (starting from 25 €) Easily available • Sold as a package • Offered as Crime as a service (subscribe & manage online) Goal => Large scale infections to create botnets Use of botnets for e-banking fraud, spam, DDOS, spying © Luc Beirens - FCCU
Goal of MW : Stay in & control network unnoticed over long period Very expensive => where is the Return on Investment ? Several infection methods - waterholing, quantum injection, social eng. Built in several stages from different files / often with artisanal interventio Own storage system – hidden for the operating system Own network routing – guarantee routing in network & exit to internet Configuration files specific for attacked architecture Crypto on stored data and data in transmission Large number of powerfull network operating & maintenance functions Antidetection capabilities (cmds do not show processes / connections) Antiforensic functions (act without logging, clean up & self destructing) © Luc Beirens - FCCU
Dilemmas © Luc Beirens - FCCU
Question 1 Do you call in external experts ? © Luc Beirens - FCCU
External experts ? • In most cases : discovery of some strange event own ICT personel or even help of usual ICT service providers => do not recognize problem • Cybercrime & espionnage goes way beyond daily maintenance • Difficult to find traces => is it crime or just software problem ? • Easy to wipe out traces => by doing restore to recover • Help in incident management • Collect / analyse / interprete traces => forensic services • How to mitigate problem ? => teaming up ICT & forensics • How to communicate ? => communication specialists ©Luc Beirens - FCCU
Question 2 Do you immediately clean up the detected infected system ? © Luc Beirens - FCCU
Immediate cleanup ? • If after analysis you determine : it might be malware • • • • Stop problem by shutting down => RAM contains valuable data Clean up by restoring (infected backup) Clean up by reinstalling (overwriting evidence ?) Clean up by replacing infected system ? => we keep evidence • Was it the only infected system ? • Consider leaving the infection exist for some time => to look at suspected data trafic • Dilemma : is damage of leaving the infection ongoing bigger than damage of not detecting other possible infected systems ©Luc Beirens - FCCU
Question 3 Do you give a sample of the malware to AV industry / CERT community so that similar infections in other organizations can be detected ? © Luc Beirens - FCCU
Do you give a sample of the malware ? • We all want to be protected as well as any other firm in the same sector commercial advantage => do we want to help each other ? • Why malware analysis ? • What does it do ? How does infect my system? With whom does it communicate ? • Malware analysis is expert work • Forensic copies of RAM / harddisks • Network communication analysis • Reverse engineering of malware / decryption • Dilemma • NOT sharing : As malware contains sometimes configuration files of your system sharing might be “exposure of hacked infrastructure” => impact on business • SHARING : helps defining Indicators of compromise / signatures • Solution : start with one specialist firm under strict Non disclosure agreement ©Luc Beirens - FCCU
Question 4 Do you pay in case of an extortion ? © Luc Beirens - FCCU
Do you pay in case of an extortion ? • Dilemma • If you pay : will the criminal keep his promise ? (give decryption keys / not devulge “your security problem”) • If you don’t pay : will you be able to recover ? Will he reveal ? • Paying a criminal is in most cases a bad option => known cases with positive & negative result => BUT it might never stop • But getting in touch with criminal and “negociate” • Might give you some time to reduce possible damage • Prepare communication on the event even if you paid Criminals think only of themselves and do NOT care about your reputation ©Luc Beirens - FCCU
Question 5 Do you file a complaint or inform authorities ? © Luc Beirens - FCCU
Do you file a complaint to authorities ? • Dilemma • If I file complaint => it will be in public and my image will suffer • If I don’t file complaint => can my problem remain “secret” and what if the “secret” gets in the public ? Will my image not suffer a bigger damage ? • Your problem might be a more “general problem” for society • Has any personal (employees, customers) data been disclosed ? • Have any communications been compromised ? • Has data with possible stock exchange impact been disclosed ? • Know legal obligations : privacy law, elect com law, ... Know the sanctions for not filing complaint if you were obliged ©Luc Beirens - FCCU
Question 6 Do you inform your employees ? © Luc Beirens - FCCU
Do you inform your employees ? • Dilemma • If you do inform them => it will be in public and my image will suffer • If you do not inform them => what are the risks ? • Employees are the Achilles tendon in your information system • If their workstation was infected or if network traffic was scanned • All their personal credentials data were (possibily) compromised • Personal systems (including social media) easy way to reinfect your system • Consider a general information of your employees on need to know basis : what might have been compromised & rules to correct attitude rules to update security in personal environment (social networks) ©Luc Beirens - FCCU
Question 7 Do you inform your customers ? © Luc Beirens - FCCU
Do you inform your customers ? • Dilemma • If you do inform them => it will be in public and my image will suffer • If you do not inform them => what are the risks ? • Customers remain customers as long as they trust you • If their data / communications / activities have been compromised and you do NOT inform them risks are : • • • • Contractual liability General civil liability Penal liability Impact commercial • Consider a general information of your customers on need to know basis : what might have been compromised & what was done to clean up & what are remaining risks & what should customer do to verify or secure his system ©Luc Beirens - FCCU
+32 2 743 74 74 © Luc Beirens - FCCU
Canvas Prints at Affordable Prices make you smile.Visit http://www.shopcanvasprint...
30 Días en Bici en Gijón organiza un recorrido por los comercios históricos de la ...
Con el fin de conocer mejor el rol que juega internet en el proceso de compra en E...
With three established projects across the country and seven more in the pipeline,...
Retailing is not a rocket science, neither it's walk-in-the-park. In this presenta...