Post on 08-May-2015
PREVENTION AND INVESTIGATIONOF HIGH-TECH CRIMES
2
Damage caused to the global economy by cyber criminals
® THE CLASSICAL MEANS OF SECURING INFORMATION
IS NO LONGER ABLE TO PREVENT INCIDENTS
2014
2013
2012
3
Group-IB's mission
IS TO PROTECT OUR CLIENTS IN CYBERSPACE BY CREATING AND USING INNOVATIVE PRODUCTS, SOLUTIONS AND SERVICES
4
Group-IB
Main activities:
® ONE OF THE LEADING INTERNATIONAL COMPANIES THAT SPECIALIZE ON PREVENTION AND INVESTIGATION OF CYBER CRIMES AND HIGH-TECH CRIMES
1 2 3 4 5
® Cyber Intelligence, monitoring and prevention of cyber threats
® Investigation of cyber crimes and high-tech theft
® Computer forensics and examination
® Information security audit and security analysis
® Development of innovative information security products
5
GROUP-IB’s expansion phases
GROUP-IB CREATED
2003 2009 2010 2011 2015
ENTERS THE INTERNATIONAL MARKET
BECOMES THE LARGEST COMPUTER FORENSICS LABORATORY IN EASTERN EUROPE
CERT-GIBCREATED
BECOMES AN ORGANIZATION WITH UNIQUE COMPETENCIES
20+
30+
100+EMPLOYEES
6
Our customers
Financial sector Energy, industry, IT
MEDIA
7
8
Examples of
investigations
carried out:
Carberp
1 2 3
® Russia’s biggest organized online crime gang (in 2012)
® Investigation was carried out in close cooperation with the Russian Federal Security Service (FSB) and the Russian Ministry of Internal Affairs, with assistance from Sberbank of Russia
® This was the first case in Russian law-enforcement practice, where all the members of the online crime gang were arrested
9
Examples of
investigations
carried out:
Hodprot
1 2 3
® One of the oldest groups involved in online banking theft
® Measures were taken in several regions of Russia and CIS
® Investigation led to the arrest of the 7 members of the criminal group
10
Examples of
investigations
carried out:
Hameleon
1 2 3
® The first botnet designed to steal money from personal bank accounts
® The criminal used replaced SIM cards to carry out attacks against bank customers
® More than 1 billion rubles were prevented from being stolen
11
Examples of
investigations
carried out:
Germes
12 3
® An international criminal gang that provides an opportunity for illegal earnings through principles similar to those of an affiliate program
® Investigation led to the arrest of the organizer of the criminal gang
® The largest botnet in Russia was dismantled. At the time of the arrest, the botnet had more than 6 million compromised computers. The botnet was designed for online banking theft
12
Examples of
investigations
carried out :
Dragon – DDoS botnet
1 2
® A DDoS attack against one of the TOP 10 largest Russian banks. The attack was carried out using a previously unknown botnet
® The organizer of the attack was arrested on December 2012 in close cooperation with the Russian Ministry of Internal Affairs
13
Examples of
investigations
carried out :
BlackHole
1 2 3
® Author of BlackHole Exploit Kit, Cool Exploit Kit, as well as Crypt.am, a service for obfuscating mailware code to prevent its detection by antivirus programs
® 40% of infections recorded worldwide were carried out using Paunch’s tools
® This was the first case in Russian law-enforcement practice, where author of Exploit Kit was arrested as a theft accomplice
14
Main activities
Group-IBPREVENTION AND MONITORING
COMPUTER FORENSICS AND INVESTIGATION
SOFTWARE DEVELOPMENT
CERT-GIB: MONITORING AND RESPONSE
BRAND PROTECTION
INFORMATION SECURITY AUDIT
BOT-TREK: CYBER INTELLIGENCE & THREAT
ANALYSIS
BOT-TREK TDS
COMPUTER FORENSICS AND MALWARE INVESTIGATION LABORATORY
INCIDENT INVESTIGATION
INDEPENDENT FINANCIAL AND
CORPORATE INVESTIGATIONS
ANTIPIRACY
15
Company’s structure
ANTIPIRACY
BOT-TREK TDS NEW YORK
MOSCOW
SINGAPORE
COMPUTER FORENSICS
MOBILE GROUPS
MALWARE INVESTIGATION
COMPUTER INVESTIGATION DEPARTMENT
FINANCIAL INVESTIGATION DEPARTMENT
CERT-GIBCOMPUTER FORENSICS AND MALWARE INVESTIGATION LABORATORY
AUDIT AND CONSULTING DEPARTMENT
PERSONAL SECURITY SERVICE
ANALYTICS DEPARTMENT
LEGAL DEPARTMENT
SOFTWARE DEVELOPMENT
BOT-TREK
PREVENTION AND MONITORING
17
CERT-GIBcomputer
security incident
response team
1 2 3 4
® The first 24/7 CERT in Eastern Europe
® Transcontinental support ® Countermeasures against the following types of threats :
® .RU, .РФ, .SU: a competent organization on combating cyber threats
NEW YORK
SINGAPORE
MOSCOW
CERT-GIB is the first round-the-clock computer security incident response teamin Eastern Europe
Monitoring and response groups are present in different parts of the globe :North America Europe Asia
Phishing, spam, DDoS attacks, malware, botnets
An expert organization of the Coordination Center for TLD RU/РФ
18
CERT-GIBwork methodology
PREVENTION AND MONITORING
1 2 3 4
® Active monitoring ® Gathering information about an incident
® Incident classification
® Incident neutralization
• Monitoring of information security incidents: phishing, spam emails, malware, etc.
• Accepting requests through
a form on its website, through e-mail, and by a hotline
• Monitoring of professional communities
• Establishing the source of a threat
• Threat analysis
• Identifying the persons involved in the threat
• Conducting forensic investigations
• Phishing
• Malware
• Dissemination of confidential information
• DoS/DDoS attack
• Spam
• Other threats
• Suppressing the causes of the incident
• Contacting foreign CERTs and CSIRTs for cooperation (if necessary)
• Reporting to the requesting party
• Transfer of materials to law enforcement agencies (if necessary)
19
CERT-GIB
® Monitoring of
information
security events
1 2 3 4 5
® Immediate response
to information
security incidents
® Conducting internal
and external
investigations
® Providing legal
support to the entire
complex of measures
and their outcome
An independent unit at Group-IB, which monitors and
responds to information security incidents
® Collection,
investigation and
processing of digital
evidence and event logs
Customer
ISIRT №1
ISIRT №2
ISIRT №3
ISIRT №…
VPN
20
CERT-GIBcases
PREVENTION AND MONITORING
Slenfbot takedown Virut takedown Grum takedown
21
antiphishing.ruPREVENTION AND MONITORING
1 2 3
® A form for accepting reports about suspicious sites used for targeted attacks against Internet users. The project has been existing since 2012 with the participation of CERT-GIB experts
® Information acquired is immediately sent to CERT-GIB analysts, who quickly process the incoming report and take necessary measures to neutralize the malicious web resources
® A socially oriented project –after sending in a report, users are given the opportunity to share information about the antiphishing.ru project on social networks
22
Brand Point ProtectionA range of services on online brand protection
1 2 3 4 5
® Protection against phishing
® Protection of intellectual property
® Protection of business reputation
® Monitoring counterfeit product markets
® Monitoring the mobile app market
PREVENTION AND MONITORING
A system for an early detection of phishing incidents and other incidents involving illegal use of brands on the Internet
A package of measures aimed at preventing illegal distribution of digital content and elements of intellectual property on the Internet
Monitoring the electronic media, blogs, forums and other resources on the Internet to identify information distorting or tarnishing a business reputation
Finding and identifying sales channels and sources of counterfeit products in order to stop such illegal activities
Identifying and responding to cases of illegal use of a brand in stores selling mobile apps that violate copyrights and/or intended to attack our customer’s clients
23
AntipiracyIntellectual property protection on the Internet
1 2 3 4 5
® Protecting Movies, software, music, e-books, computer games
® Service contains both automatic and manual monitoring
® Unique competenciesand strong relationship with various authorities
® Supporting legal platforms
® Protecting your revenue
PREVENTION AND MONITORING
Group-IB protects all kinds of digital content that can be found on the Internet.
Group-IB anti-piracy software automatically monitors the Internet (Russian and English-speaking segments) finds all links with illegal content. A team of operators process this data and take measures
Group-IB is a competent organization with the Coordination center for tld RU/РФ and cooperate with top hosting-providers and domain name registrars
We redirect the audience from pirate web-sites to legal platforms
A number of pirate web-sites are ready to comply and operate legally
Up to 90% of all illegal links are removed from the Internet
The popularity of official platforms grows as well as the revenue
The image is proteсted
24
Information security audit
1 2 3 4
® Application security audit in source codes
® Web application security audit
® Industrial control systems and SCADA systems security audit
® Penetration tests
PREVENTION AND MONITORING
Investigation helps to reveal vulnerabilities and gaps that can lead to information security threats
Web applications are analyzed for the presence of vulnerabilities. After the analysis, the customer receives recommendations on how to address such vulnerabilities and improve security
Investigation helps to evaluate the level of security of key elements of an industrial network infrastructure against possible malicious internal and external impacts
A method of controlling the security of applications and AISs (automated information systems) by exploring the feasibility of an unauthorized access to the customer’s information by potential attackers
25
Benefits
1 2 3 4 5
®Increased market value for your company
®Increased sales revenues
®Improved business reputation
®Increased trust in the brand
® Compensation for damages caused
PREVENTION AND MONITORING
By managing the security and volume of your company’s intangible assets, such as copyrights, know-how, trademarks, and business reputation
Removal of sources of illegal spread of counterfeit goods and confidential information. Interruption of cash flows to attackers’ projects
Wiping out false and untrue reviews negatively affecting your company’s business image from search results
Timely detection of unauthorized use of your brand and notifying you to ensure the safety of that brand. Customer centricity prompts positive feedback from current customers and attracts new ones
Legally prosecuting criminals illegally using your brand, and subsequently receiving compensation for damages caused by their activities
COMPUTER FORENSICS AND INVESTIGATION
Cyber crime investigation
COMPUTER FORENSICS AND INVESTIGATION
NETWORK ATTACKS
® ONLINE BANKING THEFT® DDOS ATTACK® VOIP HACKING
® UNAUTHORIZED ACCESS TO WEBSITES, DATABASES, SERVERS,
AND MAIL® NETWORK BLACKMAIL / EXTORTION
TARGETED ATTACKS / INDUSTRIAL ESPIONAGE
® TARGETED VIRUS ATTACKS® WIRETAPPING OF NETWORK
CHANNELS® INSTALLATION OF MALICIOUS
LOGICS® INSTALLATION OF DIGITAL
BACKDOORS
SABOTAGE AND INSIDE
® INFORMATION LEAKAGE® INFORMATION DESTRUCTION® DATA MANIPULATION TO COMMIT
FRAUD® ACCESS DENIAL
ECONOMIC CRIMES
® HIGH-TECH FRAUD® EXTORTION® DISCLOSURE OF TRADE SECRETS
AND CONFIDENTIAL INFORMATION® ILLEGAL USE OF TRADEMARKS AND
BRANDS
CYBER CRIME INVESTIGATION
27
28
Computer forensics and malwareinvestigation
1 2 3 4
® Digital evidence collection
® Forensic investigation ® Express forensics
® Participation of experts in special investigation activities
COMPUTER FORENSICS AND INVESTIGATION
Gathering information about an incident and determining the for evidential information storage sources. Preserving and presenting evidential information in accordance with state laws
To analyze the incident, obtain and secure evidence admissible in court proceedings
Conducting forensic investigations in a very short time
Minimizing the possibility of evidence being destroyed due to unskilled actions, and providing proper legal status to technical measures
29
Computer forensics and malware investigation
1 2 3 4
® Malware investigation
® Comparison of source codes with software products
® Mobile device investigation
® Outsourcing of services
COMPUTER FORENSICS AND INVESTIGATION
Identifying the functional capabilities of executable files and establishing network addresses. Analyzing and decoding configuration files and other ancillary data
Conducting computer investigations into modern plagiarism in the field of IT
Investigating mobile devices at logical and physical levels, as well as at the file system level
Combining services into a single complex, thus enabling to efficiently manage incidents and minimize time and financial costs
Independent financial
and corporate
investigationsProtection of a company’s financial and economic interests against various internal and external abuses
1 2 3 4 5
® Investigation of violations within a company and verification of the facts of a probable fraud
® Independent and objective assessment of potential abuses by employees
® Investigation of misappropriation of assets and property; returning such assets and property and/or taking measures established by law
® Revealing cases of hidden conflict of interests and relationships that are contrary to business ethics
® Comprehensive analysis of the reliability of suppliers, manufacturers, business partners, sales agents, own employees, and other parties
COMPUTER FORENSICS AND INVESTIGATION
30
31
Benefits
1 2 3 4 5
® May be compensated for damages when the perpetrators are identified and prosecuted
® Increased business stability brought about by lower financial costs on information security
® Minimizing existing risks by promptly obtaining information about an incident that occurred and preventing such risks from existing in the future
® Increased speed of responding to incidents thanks to the use of advanced forensic and e-discovery practices
® Reduced financial costs of building your own infrastructure and training forensic and e-discovery experts
COMPUTER FORENSICS AND INVESTIGATION
SPECIALIZED SOFTWARE DEVELOPMENT
AND DEPLOYMENT
33
SOFTWARE DEVELOPMENTBot-Trek
® Intelligent self-learning self-filling full-cycle
proprietary Ecosystem
® Functional unity of knowledge, experience
and technology
Bot-Trek Ecosystem provides companies software for identification, strategic planning and rapid response to current global risks and security threats
34
Bot-Trek
Bot-Trek helps protecting against zero-day attacks, prevent or prepare for further attacks or threats
Bot-Trek products allow:
® Real-time monitoring of permanently changing cyber threats environment
® Usage of specific indicators to assess level of business threats
® Acquiring new knowledge which is necessary to protect company today and in future
Depending on your business risksBot-Trek provides:
® Protection against theft in payment systems, online banking and mobile devices
® Protection against targeted attacks (APT’s)
® Identification and rapid response to actual global risks and security threats
® Tools for strategic security planning and risk assessment
SOFTWARE DEVELOPMENT
35
Bot-Trek СI
Bot-Trek Cyber Intelligence (CI) – is the platform which is providing companies around the world with real-time personalized analytical information for strategic planning, identification and rapid response to urgent global risks and threats to security.
1 2 3
Impacts of changes in external ‘Cybercrud’ are monitored and assessed
Additional information is correlated and collected so that Bot-Trek CI can provide global sector information of various types of high-tech threats
Processing huge volumes of raw data, Bot-Trek CI provides the customer with only reliable and relevant information for your decision making process
SOFTWARE DEVELOPMENT
36
Bot-Trek СI Bot-Trek CI performs research, processes and correlates information frommultiple private and public resources
SOFTWARE DEVELOPMENT
37
Bot-Trek СI
Group-IB uses it’s own unique development for collecting and correlating dataEach block of data complement the next, providing better coverage and level of protection for our clients
SOFTWARE DEVELOPMENT
38
Bot-Trek TDS The system is designed to identify Trojans, spyware, illegal remote administration tools, exploits for workstations and mobile botnets.
Delivered as a “device + service” model, Bot-Trek TDS is an effective tool for outsourcing routine processes, such as server administration, signature updating and log analysis.
1 2 3 4
Bot-Trek TDScomplementsother intrusionDetection systems, already installed atthe customer’sinfrastructure
The standard complete set has low demand for hardware platform and can be deployed on thecustomer’s own platformremotely and easily integrated with the SIEM and IPS systems
There are almost no false positives. Hence, each incident detected is a reason for specific actions and not just a “practice alert”
Confidentialityof corporateinformationispreserved becausetraffic does not gobeyond the customer’sinfrastructure.
5There is no need to hire and certify a separate highly-paid employee because the CERT-GIB takes full charge of expert analysis of detected events 24/7/365
SOFTWARE DEVELOPMENT
39
Bot-Trek
Intelligent Bank (IB)
Protects online payments from fraud without installationon the endpoint devices
Bot-Trek IB was designed as a SaaS solution and does not require changes in an enterprise infrastructure or online banking software. The client part is loaded together with the online banking website.
1 2 3 4
Identifies newtypes of attacksand malicious codes
Identifies clientdevices infected by malicious codes by detecting web injects
Protects againstphishing andpharming attacks
Identifies remoteconnections toa client device
5
Classifiesmalicious codes
SOFTWARE DEVELOPMENT
40
Benefits
1 2 3
® Minimization of financial losses due to real-time fraud prevention, rapid response to incidents and reduction in the costs of supporting victims
® Minimization of reputational risks due to reduced number of victims
® Compensation for financial losses due to comprehensive investigation with possible lawsuit after
SOFTWARE DEVELOPMENT
41
www.group-ib.com info@group-ib.com
facebook.com/groupib twitter.com/groupib
youtube.com/groupib linkedin.com/company/group-ib