Cyber intelligence and warfare presentation 2015 (1)
-
Upload
jeremy-makowski -
Category
Technology
-
view
85 -
download
2
Transcript of Cyber intelligence and warfare presentation 2015 (1)
Cyber Intelligence and WarfareJeremy Makowski
Cyber Intelligence and Counter Terrorism Analyst
: [email protected]: @JeremyMakowski: Jeremy Makowski
Executive Summary
1/ Cyber Space and IntelligenceI. Cyber Threat LandscapeII. Cyber Space and its different environmentsIII. Cyber Intelligence (Where to gather information?)IV. Threat Actor Profiles
2/ Cyber Warfare V. Global Vision of Cyber WarfareVI. Terrorist organizations and Cyber SpaceVII. State actors cyber capabilities
I. Cyber Threat Landscape
• One hundred million daily worldwide cyber attack attempts cybermap.kaspersky.com
Globalization of Threats
I. Cyber Threat Landscape
• Multiple Motivations
• Diversity of attacks
• Multiple targeted
sectors
I. Cyber Threat LandscapeDevelopment of the Open Source Ecosystem
• Forums (Open Source hacking tools, techniques)
• Social networks and Chat (propaganda, recruitment, sharing ideas…)
• Underground Networks (Darknet, private encrypted networks)
I. Cyber Threat Landscape Cyber Crime • Top 10 countries for cyber crimes (Russia, US, Eastern Europe, Vietnam, Indonesia, Brazil, Nigeria, China Romania, South Korea) Cyber Terrorism• Al Qaeda• Islamic State Hacktivism • Anonymous movements • Islamic Hacktivists
II. Cyber Space and its different layers
• Web (Google, Bing, Yahoo)
• Deep Web (Yandex, DuckDuckgo, Iseek)
• Darknet (TOR, I2P, Tail)
Web
• Use a spider program to fetch as many webpages as possible
• A program called an indexer then reads these webpages and creates an index, storing the URL and important content from webpages
• Each search engine has its own ranking algorithm that returns results based on their relevance to the user’s specified keywords
Deep Web
• Everything that is not found by a search engine’s spider program is considered to be the deep web
• Most of the web pages on the internet are not indexed by search engines. Around 75% of the entire internet is invisible web content
Deep Web Project
• Defense Advanced Research Project Agency (DARPA)
• Memex Search Engine was developed in 2014 and aims to secure the Internet from hackers, human traffickers and other criminals
• DARPA describes Memex as a set of search tools that are better suited to government (presumably law enforcement and intelligence) use than commercial search engines
.
The DarknetWhat is the Darknet?
Originally created for military purposes
In the 1970s to designate networks which were isolated from ARPANET (which later became the Internet) for security purposes the Darknet was able to receive data from ARPANET but had addresses which did not appear in the network lists and would not answer pings or other inquiries.
Open to the public
The darknet started to become available to the public in the 2000’s with the development of open source software such as Freenet, TOR, I2P etc…
Darknet Softwares
• Freenet Created in 2000
• The Onion Router (TOR) Created in 2002, gaining popularity since 2004
• Invisible Internet Project (I2P) Created in 2003
How to access the Darknet?
How does the Darknet work?
Based on overlay networks An overlay network is a computer network built on another network. The overlay network nodes are interconnected by logical links of the underlying network. The complexity of the underlying network is not visible to the overlay network Does not use regular URL’s Uses specific extensions which are not searchable http://ozy7mnciacbc5idc.onion http://drugs6atkjvtk64f.onion Does not expose the public IP address Hides the public IP address in order to keep anonymity
The Onion Router TOR• Tor works by anonymizing the transport
of data. • Tor encrypts the data you send through
the web in multiple layers. The data is then “relayed” through other computers. Each relay sheds one layer then finally arrives at the source in full form.
• The software bounces users around a network of open connections run by volunteers all over the globe.
.
The Onion Router TOR
.
III. Cyber Intelligence Data CollectionDifferent sources for gathering intelligence about different threats • Paste Sites and Leak Websites • Social Networks • IRC Chat • Website Defacement• Underground Forums • Black Markets
Paste Site
• Type of web application where users can publish and store plain text
• Often used by Hacktivists and Hackers to leak database, credit card and other private information
Paste Site
Social NetworksUsed as Command and Control C&C
• Easy to use for spreading ideologies• Share hacking tools• Set up hacktivist campaigns• Publish results of attacks
Each server contains multiple channels
IRC channels are used: • To discuss hacking issues• For dealing CC and PII
Internet Relay Chat (IRC)
Website Defacements
• Mostly used by hacktivists and hackers
• Archived and ranked defacements by threat actors, domains and countries
Underground Forums
Black Markets
Black Markets
Threat Actors profiling Cyber Criminals• Main goal: Make money• TTP: Phishing, Trojan Horse, SQLI, DDoS, PoS Malware, social engineering• Do not communicate unless for deals on the black marketsBlack Hat Hacker• Main goal: Show off• TTP: SQLi, Phishing, XSS, Defacement, Use hacking forums• Leak data for funHacktivists• Main goal: Ideology / Nationalism• TTP: SQLi, XSS, DDoS, Defacement, Use social media as C&C platform• Want people to know that they are behind the attack and broadcast their ideological political messages
Global vision of the Cyber WarfareCyber Crime • Criminals such as weapon dealers, drug dealers, fraudsters (financial fraud) • Cyber intelligence, security systems, CERP and cyber security policies Cyber Terrorism• Al Qaeda, ISIS, Hamas, Electronic Syrian Army • Cyber intelligence, Intelligence (HUMINT), Counter propaganda online Hacktivism • Anonymous movements, Islamic Hacktivists, Hacktivism related to conflicts• Cyber intelligence, VHUMINT, CERP
Cyber Espionage• States (USA and Five Hive, China, India, Russia, France, Germany, Iran, Israel) • Counter Espionage, National Cyber Defense Policy, Military Cyber Command
Terrorist Organizations and Cyber Space • In 2007 Al Qaeda developed an
original email encryption software named “Mujahideen Secrets”
• In 2013 Al Qaeda, through the GIMF, developed new encryption software for messages named “Asrar al Dardashah” and also through Al-Fajr “Amn al Mujahid”
• In 2013 ISIS developed an encryption program named “Asrar al Ghurabaa”
State Actors Cyber Capabilities China (Peoples Liberation Army):Military Cyber capability: Cyber Unit 61398, SIGINT Unit 61486
Notable state sponsored group: APT 30, Putter Panda, axiom group and others
Capabilities: Only for Unit 61396, 1000 servers, 2000 soldiers, Optic fiber connection
Techniques: Sophisticated Malware, Spear Phishing, Social Engineering
Operations launched:
Since 2006: Multiple cyber espionage attempts on 141 organizations across 20 industries worldwide
2010: Cyber attack on Google infrastructure for Intellectual property
State Actors Cyber Capabilities Russia (Federal Security Services):Military Cyber capability: FSB , FSO, GRU, Military Cyber Command expected in 2017
Notable state sponsored group: APT 28, Anunak APT CozyDuke APT
Techniques: Sophisticated Malware, Spear Phishing, Social Engineering, Zeroday exploits, code injection
Operations launched:.
Since 2008: Uroburos Malware for Cyber espionage purposes against US spread via phishing
2010: Energetic Bear cyber espionage campaign targeting foreign industries including 2800 victims worldwide, and 219 websites used as C&C. to spread malware
2013: Operation Armagedon cyber espionage attack against Ukraine EU agreement
State Actors Cyber Capabilities Iran (Iranian Revolutionary Guards)
Military Cyber capability: Army Cyber Defense Command, National Supreme Cyber Council, Cyber Police Unit
Notable state sponsored group: Ashyane Security Team , Basij group for propaganda
Parastoo, Iranian Cyber Army
Capabilities: Hundreds of Soldiers, Dozens of Civilian threat actors
Techniques: Sophisticated Malware, Spear Phishing, Social Engineering, code injection
Operations launched:.2011: Iranian claimed to capture a US spy aircraft by hijacking its navigation systems
2012: Iranian cyber-attack campaign on foreign critical infrastructures named “ OpCleaver”
2014: Cyber espionage operation against US and Israel named “Gholee Malware”
2015: Cyber-attack campaign across the Middle East named “Thamar Reservoir “
Thank You!