Computer Crime on the Rise FBI-San Francisco Computer Intrusion Squad.

Computer Crime on the RiseComputer Crime on the Rise

FBI-San FranciscoFBI-San Francisco

Computer Intrusion SquadComputer Intrusion Squad

OverviewOverview

• Computer Security Institute (CSI) Computer Security Institute (CSI) SurveySurvey

• FBI Computer SquadsFBI Computer Squads

• How to Prepare for an AttackHow to Prepare for an Attack

• What to do when You’re a VictimWhat to do when You’re a Victim

CSI and FBICSI and FBI

Computer Security SurveyComputer Security Survey

Unauthorized use of computer Unauthorized use of computer systems within the last 12 months?systems within the last 12 months?

4237

50

18

70

12

21 19

33

18

64

2117

62

16

0

10

20

30

40

50

60

70

80

1996

1997

1998

1999

2000

CSI/FBI 2000 Computer Crime and Security SurveySource: Computer Security Institute

YES NO DON’T KNOW

Types of attack or misuse detected Types of attack or misuse detected within the last 12 monthswithin the last 12 months

59

407

133

66

68

380

75

297

114

104

53

53

124

394

58

223

70

9

280

128

118

102

45

145

463

68

499

414

69

8

348

158

198

287

338

101

69

54

99

18

203

353

82

45

108

5

365

0 100 200 300 400 500 600

Theft of proprietary info

Sabotage

Telecom eavesdropping

System penetration

Insider abuse of Net access

Financial fraud

Virus

Unauthorized access by insiders

Telecom fraud

Active wiretap

Laptop

Denial of Service

2000

1999

1998

1997


Likely sources of attackLikely sources of attack

22 23

73

51

87

21

29

72

48

89

21

30

74

53

86

2126

77

44

81

0102030405060708090

100

Foreign gov. Foreign corp. Independenthackers

U.S.competitors

Disgruntledemployees

1997199819992000


Internet connection is increasingly Internet connection is increasingly used as point of attackused as point of attack

54

39

52

24

38

59

37.5

47

35

54

44

57

28

51

22

0

10

20

30

40

50

60

70

1996

1997

1998

1999

2000


INTERNAL SYSTEMS REMOTE DIAL-IN INTERNET

Dollar amount of losses by typeDollar amount of losses by type

$991,200

$27,148,000

$8,247,500

$27,984,740

$10,404,300

$29,171,700

$4,028,000

$22,554,500

$7,104,000

$55,996,000

$5,000,000

$66,708,000

Active wiretapping

Telecom eavesdropping

System penetration

Sabotage

Denial of service

Insider net abuse

Laptop theft

Virus

Financial fraud

Telecom fraud

Theft of proprietary info

Unauth. insider access


WWW site incidents:WWW site incidents:What type of unauthorized What type of unauthorized

access or misuse?access or misuse?

98

27

93

25

64

3

60

8

0

20

40

60

80

100

120

Vandalism Financial Fraud Denial of Service Theft ofTransaction Info

19992000


If your organization has If your organization has experienced computer intrusion(s) experienced computer intrusion(s) within the last 12 months, which of within the last 12 months, which of the following actions did you take?the following actions did you take?

48

2316 11

44

2617

11

50

2617 16

96

48

32 29

85

44

25 20

0

20

40

60

80

100

120

Patched holes Did not report Reported to lawenforcement

Reported tolegal counsel

1996

1997

1998

1999

2000


74.9 72.1

52.860

65.1

54.847.5

83

74

4651

8479

36

5852

39

13

5553.2

0102030405060708090

Negativepublicity

Competitorswould use to

advantage

Unaware thatcould report

Civil remedyseemed best

19961997199819992000

The reasons organizations did not The reasons organizations did not report intrusions to law enforcementreport intrusions to law enforcement


Would your organization Would your organization consider hiring reformed consider hiring reformed hackers as consultants?hackers as consultants?

17

65

1920

61

19

0

10

20

30

40

50

60

70

Yes No Don't know

1999

2000


The FBI and Computer The FBI and Computer Intrusion InvestigationIntrusion Investigation

Regional Computer Regional Computer SquadsSquads

• 14 Regional Squads14 Regional Squads– SupervisorSupervisor– InvestigatorsInvestigators– AnalystsAnalysts– Computer Analysis Computer Analysis

Response Team (CART)Response Team (CART)

• InvestigationInvestigation• LiaisonLiaison

National Infrastructure Protection CenterNational Infrastructure Protection Center

NIPCNIPC

ChicagoChicago

DallasDallasLos AngelesLos Angeles

San FranciscoSan Francisco

WFOWFO

New YorkNew YorkBostonBoston

MiamiMiami

AtlantaAtlantaCharlotteCharlotte

SeattlSeattlee

Approximately 215 Special Agents TodayApproximately 215 Special Agents Today Target 275 SAs FY00 plus Computer ScientistsTarget 275 SAs FY00 plus Computer Scientists

NewNew OrleansOrleansSan DiegoSan Diego

NewarkNewark

FBI ProgramFBI Program

• Specially trained agents in all 56 Specially trained agents in all 56 FBI DivisionsFBI Divisions

• Growing programGrowing program– Ongoing trainingOngoing training– Technical recruitingTechnical recruiting

• Computer Forensic ExaminersComputer Forensic Examiners– FBI LaboratoryFBI Laboratory– Field Agents (CART)Field Agents (CART)

How to Prepare for an How to Prepare for an AttackAttack

PreparationPreparation

• Post Warning Banners:Post Warning Banners:– Every system should display bannerEvery system should display banner

• Display at every log inDisplay at every log in

• System is property of your organizationSystem is property of your organization

• System is subject to monitoringSystem is subject to monitoring

• No expectation of privacy while using systemNo expectation of privacy while using system

– Management and Legal Counsel should Management and Legal Counsel should approveapprove

– DO NOT reveal system purpose/OS/etc.DO NOT reveal system purpose/OS/etc.

DoD BannerDoD Banner• ““This is a Department of Defense (DoD) computer This is a Department of Defense (DoD) computer

system. DoD computer systems are provided for system. DoD computer systems are provided for the processing of Official US Government the processing of Official US Government information only. All data contained on DoD information only. All data contained on DoD computer systems is owned by the Department of computer systems is owned by the Department of Defense and may be monitored, intercepted, Defense and may be monitored, intercepted, recorded, read, copied, or captured in any manner recorded, read, copied, or captured in any manner and disclosed in any manner, by authorized and disclosed in any manner, by authorized personnel.”personnel.”

DoD BannerDoD Banner

• ““THERE IS NO RIGHT OF PRIACY IN THIS THERE IS NO RIGHT OF PRIACY IN THIS SYSTEM. System personnel may give to law SYSTEM. System personnel may give to law enforcement officials any potential evidence of enforcement officials any potential evidence of crime found on DoD computer systemscrime found on DoD computer systems. . USE OF USE OF THIS SYSTEM BY ANY USER, AUTHORIZED OR THIS SYSTEM BY ANY USER, AUTHORIZED OR UNAUTHORIZED, CONSTITUTES CONSENT TO UNAUTHORIZED, CONSTITUTES CONSENT TO THIS MONITORING, INTERCEPTION, THIS MONITORING, INTERCEPTION, RECORDING, READING, COPYING or RECORDING, READING, COPYING or CAPTURING and DISCLOSURECAPTURING and DISCLOSURE.”.”


• Be Proactive to Prevent IncidentsBe Proactive to Prevent Incidents– Establish Security PolicyEstablish Security Policy– Monitor and Analyze Network TrafficMonitor and Analyze Network Traffic– Assess Vulnerabilities (System Scans)Assess Vulnerabilities (System Scans)– Configure Systems WiselyConfigure Systems Wisely

• Limit Services (FTP/telnet)Limit Services (FTP/telnet)• PatchesPatches

– Establish Training for EmployeesEstablish Training for Employees


• Establish Policy on Employee Establish Policy on Employee PrivacyPrivacy– E-mail: Owned by Corp. or EmployeeE-mail: Owned by Corp. or Employee– Data FilesData Files– Encryption okay?Encryption okay?

• KeysKeys• Disgruntled EmployeesDisgruntled Employees

PreparationPreparation• Establish Organizational Approach to Establish Organizational Approach to

Intrusions (2 ways)Intrusions (2 ways)– Contain, Clean and Deny Further AccessContain, Clean and Deny Further Access

• STOP Intruder STOP Intruder • Remove from NetworkRemove from Network• Repair SystemRepair System• IP Filtering, Firewalls, etc.IP Filtering, Firewalls, etc.

– Monitor and Gather InformationMonitor and Gather Information• Intruder in a FishbowlIntruder in a Fishbowl

PreparationPreparation• Policy for Peer NotificationPolicy for Peer Notification

– DDOSDDOS– Network AttacksNetwork Attacks

• Remote ComputingRemote Computing– TelecommutersTelecommuters

• Laptop Privacy (temps, contractors too)Laptop Privacy (temps, contractors too)

– Acceptable Use Policy (Sign Yearly)Acceptable Use Policy (Sign Yearly)– Revoke Access when no longer requiredRevoke Access when no longer required– Log Remote Access (Radius/Caller ID/Remote Log Remote Access (Radius/Caller ID/Remote

Callback)Callback)


• Develop Management SupportDevelop Management Support

• Develop a TeamDevelop a Team– Assign Specific DutiesAssign Specific Duties

• Call - out duty and phone listCall - out duty and phone list• Legal CounselLegal Counsel• PR/Law Enforcement LiaisonPR/Law Enforcement Liaison

• Assign a Person to be Responsible Assign a Person to be Responsible for Incident for Incident

System PreparationSystem Preparation

• System BackupsSystem Backups– Original O/SOriginal O/S– Log FilesLog Files– Admin Files/ApplicationsAdmin Files/Applications– DataData– Don’t re-introduce problemDon’t re-introduce problem

System PreparationSystem Preparation

• Install and ConfigureInstall and Configure– Intrusion Detection SystemIntrusion Detection System– FirewallFirewall– Auditing/LoggingAuditing/Logging

• Monitor Monitor – Industry informationIndustry information– Intrusion/hacker techniquesIntrusion/hacker techniques

The Security InvestmentThe Security Investment

• Recruit and hire security capable staffRecruit and hire security capable staff– ““Reformed” Hackers?Reformed” Hackers?

• Keep current on system vulnerabilitiesKeep current on system vulnerabilities• Ensure networked systems are maintained Ensure networked systems are maintained

and patchedand patched• Train administrators and users of systems Train administrators and users of systems

in security and protection measuresin security and protection measures


• Have a plan in place PRIOR to an Have a plan in place PRIOR to an attackattack

• You WILL be attacked!You WILL be attacked!

I’ve Been Hacked!I’ve Been Hacked!oror

What to do when you’re What to do when you’re a Victima Victim

What the FBI can doWhat the FBI can do

• Combine technical skills and investigative Combine technical skills and investigative experienceexperience

• National and Global coverage (LEGATS)National and Global coverage (LEGATS)• Apply more traditional investigative techniquesApply more traditional investigative techniques• Long-term commitment of resourcesLong-term commitment of resources• Integration of law enforcement and national Integration of law enforcement and national

security concernssecurity concerns• Pattern analysis - BIG PICTUREPattern analysis - BIG PICTURE• Can provide deterrent effect . . . even if hacker Can provide deterrent effect . . . even if hacker

not prosecutednot prosecuted

What the FBI won’t do:What the FBI won’t do:

• Take over your systemsTake over your systems

• Repair your systemsRepair your systems

• Share proprietary information Share proprietary information with competitorswith competitors

• Provide investigation-related Provide investigation-related information to the media or your information to the media or your shareholdersshareholders

When You’re a VictimWhen You’re a Victim

• Stop and Think -- REMAIN CALMStop and Think -- REMAIN CALM– Take detailed notes (who, what, why, Take detailed notes (who, what, why,

where, when, and how)where, when, and how)– Notify appropriate personsNotify appropriate persons

• SupervisorSupervisor• Security CoordinatorSecurity Coordinator• Legal CounselLegal Counsel

– Enforce a Need to Know PolicyEnforce a Need to Know Policy


• Communicate WiselyCommunicate Wisely– email/chat -- intruder may be listeningemail/chat -- intruder may be listening– Use telephone/voicemail/fax/etc.Use telephone/voicemail/fax/etc.– If email, use encryptionIf email, use encryption

• Remove system from NetworkRemove system from Network

• Disable Internet AccessDisable Internet Access

When You’re a VictimWhen You’re a Victim• Make a Bit by Bit copy of systemMake a Bit by Bit copy of system

– Use NEW media & VERIFY the backup!!Use NEW media & VERIFY the backup!!– Initial and date backup…time stampInitial and date backup…time stamp– Secure in a locked, limited access locationSecure in a locked, limited access location

• Maintain Chain of CustodyMaintain Chain of Custody

• Collect other evidence in the same Collect other evidence in the same mannermanner– Always preserve originals!Always preserve originals!


• Best Evidence RuleBest Evidence Rule– Original Drives Original Drives

– Bit by Bit Copy (dd)Bit by Bit Copy (dd)

– Copy of relevant filesCopy of relevant files


• Begin analysis to determine what Begin analysis to determine what happenedhappened– Work from copy if possibleWork from copy if possible– Review system, firewall, router logsReview system, firewall, router logs– Look for “Trojaned” system filesLook for “Trojaned” system files– Look for new, suspicious usersLook for new, suspicious users– Contact ISP for logs and possible filteringContact ISP for logs and possible filtering– Consider contacting attacking host sys adminConsider contacting attacking host sys admin


• Start to determine cost of attackStart to determine cost of attack– Recovery costsRecovery costs– Lost businessLost business– Legal expensesLegal expenses– SalariesSalaries– Technical and Security ContractorsTechnical and Security Contractors

• Maintain incident log and chronologyMaintain incident log and chronology


• Know When to Contact Law Know When to Contact Law EnforcementEnforcement– Intrusions, theft, espionage, child Intrusions, theft, espionage, child

pornography, hate crimes, threats, and fraudpornography, hate crimes, threats, and fraud– Dollar losses due to intrusions exceed Dollar losses due to intrusions exceed $5K$5K

• Law Enforcement DifficultiesLaw Enforcement Difficulties– keystroke monitoringkeystroke monitoring– legal restrictions (victim as agent)legal restrictions (victim as agent)

NetworkingNetworking

• Establish relationships within Establish relationships within industryindustry

• Participate in computer security Participate in computer security forumsforums– All industries have common cyber-linkAll industries have common cyber-link– SANS, CSI, others provide useful SANS, CSI, others provide useful

security programs, planssecurity programs, plans

InfragardInfragard

• Cooperative effort between Cooperative effort between government and industrygovernment and industry

• Local chapters meet Local chapters meet regularlyregularly

• Secure web site for sharing Secure web site for sharing informationinformation

• Security bulletins e-mailed Security bulletins e-mailed to membersto members

Final ThoughtsFinal Thoughts

• Any computer system Any computer system is vulnerableis vulnerable– InternetInternet– Local userLocal user

• Private and Public Private and Public sector need to work sector need to work togethertogether

Contact UsContact Us

FBI - San FranciscoFBI - San FranciscoComputer Intrusion SquadComputer Intrusion Squad

22320 Foothill Blvd., Suite 53022320 Foothill Blvd., Suite 530Hayward, CA 94541-2700Hayward, CA 94541-2700

(510) 886-7447(510) 886-7447(415) 553-7400 [24 hrs.](415) 553-7400 [24 hrs.]

[email protected]@fbi.gov

Computer Crime on the Rise FBI-San Francisco Computer Intrusion Squad.

Documents

Transcript of Computer Crime on the Rise FBI-San Francisco Computer Intrusion Squad.