Dark Web Use it at your advantage - INFOSEC€¦ · Stimulus for attack from the Dark Web Delivery...
Transcript of Dark Web Use it at your advantage - INFOSEC€¦ · Stimulus for attack from the Dark Web Delivery...
wizlynx group © 2017
Dark Web – Use it at your advantageDas Dark Web – Setzten Sie es mit
Cyber Threat Intelligence zu Ihrem Vorteil ein
Andreas Crisante / Christian Fichera
@ Meet Swiss Infosec June 2017
© 2017
Christian Fichera Senior Cyber Security Consultant @ wizlynx group
10+ years’ experience in secure web application development
Penetration Testing & Secure code review specialist
Web and Mobile application security assessments
Project manager
Basel, Switzerland
Andreas Crisante
Senior Cyber Threat Intelligence Advisor @ wizlynx group
Degree in Information Security
27+ years practical experience and business expertise spanning all
aspects of information technology management, thereof 16 years in
Cyber Security
Large experience in defining and providing IT-Security strategies,
Cyber Security concepts, IT-Security and Risk-Management,
Collaboration Technologies, Search and
Knowledge Management
Basel, Switzerland
© 2017
About wizlynx group HQ in Switzerland, global presence
A strong Cyber Security service provider• Extensive experience in Security Reviews (Penetration Testing and
Ethical Hacking, Information Security Audits
• Infrastructure and network security solutions
• Managed Cyber Security Services
• Incident Response
• Cyber Threats Intelligence
• Complemented with high level of competency in ISEC,
Quality & Project Management for enterprise IT organizations.
Portfolio of services (excerpt): • Pen Tests & Ethical Hacking to assess devices, networks, services,
applications for vulnerabilities. Social Engineering to assess awareness
of humans
• PMO Services, Project, Quality, Engineering and Cyber Competence
Centers
• 24/7 Infrastructure & Security Operations Center
Numerous credentials and extensive experience in:• Pharmaceutical, banking, insurance, telecom, nutrition, and IT industries
exclusive partner for Switzerland
© 2017
wizlynx Services Portfolio
Security
Managemen
t
Lifecycle
wizlynx Security As a
Service
Operate and Maintain• 7/24 Monitoring of Security Infrastructure
• Analyze of security events from the various sources
• Depending on SLA: up to full management of SecurityEvents
• Forensic analysis support in case of security breaches
• Incident Handling
• Cyber Threat Intelligence
wizlynx InfoSec Consulting
Policy & Controls
• Identification of threat profile of the organization
• Plan and organize ISMS
• Develop security architectures at organizational level
• Definition of applicable Security Controls for the ISMS domains
wizlynx Design & Integration
Design & Architecture
• Design & Architecture of Security Infrastructures
• Develop security architectures at an application, network and component level
• Identify solutions per architecture level
• Pro-active reduction of vulnerabilities to reducethe impact of possible threads
wizlynx Security
Assessments
Assess• Accurate identification of systems
• Accurate identification of vulnerabilities application, network and component level
wizlynx IT-Risk Assessments
Threat/Risk Management
• Assessment of thread severities
• Prioritization of remediation efforts
• Managing IT-Risk on
© 2017
THE DARK WEB
© 2017
The Web’s Layers
DEEP WEBpartly visible, mostly hidden, requires
special access with authentication
DARK WEBhidden, difficult to find, need specific
access technologies
SURFACE WEBvast, exposed, easy access
© 2017
Dark Web: a Distributed Anonymization NetworkTechnology
P2P network of many loosely-connected hosts running special clients
Participating hosts have multiple roles (Client, Relay, Exit Node)
Communication is masked and encrypted
Requests “hopping” through network to hide origin and/or destination
The access to the content can be restricted to the Dark Web only
(so called “hidden service”)
Addresses use specific designation
(e.g. “t5dh587hhsg09xi809.onion”)
Dark Web provides anonymity to both Sites and Users
© 2017
History of the Deep/Dark Web.
Source: Trend Micro
© 2017
Electronic
Devices
E-Commerce
Accounts
Bank
Account
Information
Credit Cards
Malwares &
Exploits
Botnet Rental
Personally
Identifiable
Information
Hitman
For Hire
Counterfei
t
Money
Hacker For Hire
Drugs
Prescription
Drugs
Weapon
s
What is the Dark Web?Content, Services & Products
Collection of Un-indexed and Anonymous websites
Marketplaces, Forums, Wikis, Blogs, etc.
Intelligence Exchange
Market place for Remote Access Trojans, Exploits, Malwares,
stolen accounts, DBs of stolen data, PII data, malicious
services like “Rent a botnets” or “Rent a DDoS attack”, and
more!
Bitcoin as main currency
© 2017
Hitman for Hireexamples
© 2017
Weapons examples
© 2017
And moreexamples
© 2017
Underground Forums
© 2017
Hacker For Hire examples
© 2017
DARK WEB AND CYBER SECURITY ?
© 2017
Only a small part of attacks originate from Dark Web
The present protection mechanism and systems are remaining effective to a certain extend
SIEM systems can identify TOR traffic, C&S traffic, Cryptolocker attacks
Dark Web camouflages the attack origin
The attacks are analogous to public internet
Restricts preemptive detection and research, discovery of attack chain
Restricts real-time identification of threat actor
Restricts post-breach forensic investigations
Latest malware patterns in the outbreak analyzed are indicating Dark Web integration
Direct Threats from Dark Web?A new channel for old attacks
How big is the risk for an organization?
© 2017
Attacks from the Dark Web mainly with HTTP-based delivery
SQL Injection, Vulnerability Scans primary attacks discovered
Stimulus for attack from the Dark Web
Delivery of malicious code
C&C (Command&Control) servers
DDOS used to stage “decoy attacks”
Delivery of valuable information
Intelligence exchange
Marketplace for exploits, hacker tools, etc.
Attacks from Dark Web How is the Dark Web used by Hacker
"Knowledge is
Power”
(Sir Francis Bacon, 1597, English
philosopher, statesman, scientist)
© 2017
NEW AGE OF CYBER SECURITY
LEVERAGING WEB(S) INTELLIGENCE
© 2017
New Age of Cyber Security
Perimeter ControlsIntelligence and
IntegrationCooperation, Cognition,
& Preemptive
© 2017
Real-Time Monitoring
Alerts & Early Warnings Qualitative and quantitative
research and analysis
Reporting
wizlynx CTI (Cyber Threat Intelligence) powered by
© 2017
Cyber Threat Intelligence allows the
visibility into the latest malwares, exploits and threat vectors
identification organization’s information in the Dark Web and use it as an
Indicator of Compromise (IOC)
detection of upcoming attacks before they become active
identification of compromised accounts and computers of your organization
detection of stolen credit card information
discovery whether the organization’s confidential information or even trade
secrets have become publicly available
identification of Phishing and Cybersquatting attacks
The automated and fast processing of hidden big data, difficult to find with need
of specific access technologies
Cyber Threat Intelligence = Cognition Security Preemptive tailored Cyber Security Protection
Unstructured Data
Cognitive Analytics
Preemptive Security
© 2017
Sources
Open Sources Sample Closed Sources Sample
Social Media – Facebook RSS, Twitter, YouTube Closed forums & marketplaces
Web based communities Criminal infrastructure hosting malicious attacks
User generated content – wikis, blogs & video
sharing sites
Malware hunting in the dark net
Public & Academic data Honeypots
Pastebin Automated sink holing
Search engines CERT collaboration
IRC Malware sandbox combined with human analysis
Malware databases (e.g. Virus Total) Spam mailboxes
Zeus Tracker Hacking & underground forums including zero-day
exploit forums
© 2017
Provides an organization with 5 unique capabilities – allowing to perform the following actions on cyber
threat intelligence
Collection From multiple sources and in multiple formats
Correlation Intelligence across all the modules
Categorization Malware family, bot IP’s, MD5
Integration into 3rd security tools
Action Take intelligence to create custom YARA[*] rules to dissect malware
Available as
SaaS
full Managed Security Service
wizlynx CTI (Cyber Threat Intelligence) powered by
High level features
[*] YARA = open source tool with
Perl-compatible Expressions, used to
examine suspected files/directories
and match strings.
© 2017
Credit Card Theft• Create proactive cyber security strategy to prevent credit card fraud
• Block stolen credit cards
• Protect corporate cards and VIPs from non-authorized purchases
• Insurance costs reduction due to control/credit card fraud mitigation
wizlynx CTI is divided into distinct yet at the same time integrated modules allowing companies to choose
to specific modules that suits their business needs.
wizlynx CTI (Cyber Threat Intelligence) powered by
Features
Botnet and Command & Control• Detect infections in critical servers, VIP users, and clients
• Protect by recovering stolen user IDs and passwords
• Proactive, realtime awareness of crime servers, track and block
Targeted Malware• Track malware & mobile malware trends to detect targeted malware.
• Connect internal network analysis appliances to send malicious
binaries for analysis into a cloud-based elastic sandbox
• Early warnings of information theft or leaks due to a malware attack
Rogue Mobile apps• Identifies false, infected, modified, or copied apps - as well as apps
performing brand abuse activities.
Hacktivism• Live threat data, which can be streamed into SIEM
• Early warning of information and credentials theft or leaks
• Vulnerability analysis specific to applied technology
• Hacktivism global overview, including active operations/geo location
Data leakage• Detecting information leaks from third parties, such as
outsourcing, consultants, audit, and other partners
• Delivering a list of documents w/ information organization
• Gather “classified” documents/information publicly available
Brand abuse• Abuse and Social Monitoring Module monitors online presence to
identify brand abuse, reputation damage, and other forms of
attacks on your brand.
Phishing & Cyberquatting• Combats attacks by detecting attempts to acquire sensitive
information by masquerading as a trusted entity, by detecting
similar domains used to replace company’s original domains
Media tracker• Monitor sources mentions with potential impact to brand reputation.
• Identify news/media activity threatening the organization’s security.
• Filter news and media sources easily with sophisticated search
functionality.
© 2017
DEMO
SECURITY NOTE
NO
PHOTOS
NO
VIDEOS
ALLOWED
!
© 2017
Consistent blocking of attacks
and remove vulnerabilities
Interrupt malware and
exploits
Discover and protect
endpoints
PREVENT
RESPOND
DETECT
Concise and quickest possible
Incident Management
Score and improve your
incident response
capabilities
Locate indicator of
compromise
Identify unknown threats against your
enterprise with intelligence and
analytics
Discover attacks across your
organization
Percept abnormal behaviors
Prioritize threats
Summary
"Knowledge is
Power”
(Sir Francis Bacon, 1597, English
philosopher, statesman, scientist)
© 2017
Danke.
Thank you.
Obrigado.
谢谢.
Terima kasih.
Gracias.
Andreas Crisante
Senior Cyber Threat Intelligence Advisor
Christian Fichera
Senior Cyber Security Consultant
Wizlynx AG
Hauptstrasse 11
4102 Binningen
Switzerland
Mobile: +41 79 320 83 55
www.wizlynxgroup.com
© 2017
BACKUP SLIDES
© 2017
Provides a high quality feed of compromised credentials
Recovered credentials can belong to customers
Recovered credentials can belong to internal users
Recovered credentials can belong to 3rd party suppliers
Recovered credentials can belong to VIP’s
Our platform is the only platform to provide a stream of credentials recovered from a diverse range of
sources
The data provided is current and will give an organization actionable intelligence
If such a service was not in place, such credentials could be used to launch APT related attacks
Botnet Module Capabilities
© 2017
Provides a high quality feed of compromised credit cards
Recovered card details are time stamped
Corporate Cards and those belonging to VIP’s can be monitored in addition to retail & business
customers
Detailed MI to track card compromises by region
The only platform to provide a stream of card data recovered from a diverse range of underground
sources & POS compromises
The data provided can be fed via API directly into any middleware fraud engines deployed to provide
card blocking functionality in real time
Any entity involved in use of credit cards will see an immediate return on investment with higher rate
of compromised card detection
Credit Card Theft Module Capabilities
© 2017
Searches for documents and confidential information that belongs to your organization but should not
be publicly available
This solution complements existing controls as it can identify leaks that have for one reason or
another bypassed existing controls such as DLP systems
Example of sources being monitored in real time includes, but are not limited to: P2P Networks,
Google Docs, DropBox, …etc
Detect insiders leaking confidential information
Identify leaks bypassing DLP controls
Enhance DLP controls and secure better ROI
Detect information leakage from third parties
With increased business demand for BYOD this module can help identify information leakage
originated from mobile devices
Data Leakage Module Capabilities
© 2017
Detect illegal mobile applications that are being publicly published without your Organization's
authorization
We provide a real-time feed with following types of data:
Official Mobile App Markets
Alternative Mobile App Markets
Detect rogue applications and data theft
Detect new and legitimated applications that have not been authorized by the CISO & Identify blended
attacks (those involving malware)
Protects brand value: constant and active monitoring of mobile app stores for improved visibility of the
threats that are infringing your brand’s integrity, value, and reputation
Rogue Mobile App Module Capabilities
© 2017
Provides a high quality stream of cyber intelligence related to Hacktivism activity targeting your
organization
Identify groups and malicious actors targeting your organization
Early warning of planned attacks
Track and preserve information from across all forms of social media including Twitter, RSS , and
underground forums
Wizlynx platform is the only platform to provide and track detailed information across a diverse range
of social media
The platform can preserve the information captured from social media allowing for a detailed forensic
investigation at a later time
Take the information captured and feed directly into your SIEM solution
Hacktivism Module Capabilities
© 2017
Checks in real-time against emerging campaigns and known new malicious websites that are being
detected across organizations
Upload suspicious files into our solution’s for real time analysis and a complete technical report is
generated which can be viewed online. This report can be used to fingerprint the malware and aid in
the identification of infected devices on the corporate network
Static code analysis looking for suspicious behavior, obfuscated scripts, malicious code snippets, and
redirects to other malicious sites.
Dynamic analysis that sandboxes the destination, simulating a real user on a machine with a goal of
observing any changes made to the system.
Targeted Malware Module Capabilities
© 2017
Phishing websites can cost enterprises enormously. Without robust protection, a well coordinated
attack can leave the enterprise vulnerable to:
Financial losses
Reputation damages
Phishing feed can be stand alone or fed into an existing service to enhance detection capabilities
Ability to store and view snapshot of Phishing Site and Meta data for use during investigations
Real time alerting and reports of fraudulent Phishing URLs
Phishing Module Capabilities
© 2017
Detect abuse and misuse of your brand.
Prevents coordinated real-word attacks and brand dilution. Keeping abreast of brand-related issues in
community networks is now a crucial part of any brand protection strategy. Left unchecked, many
brand-related issues that start small in these social networks can quickly explode into full fledged brand
or public relation catastrophes in matter of days.
Example of sources monitored in real time includes but are not limited to: Vimeo, YouTube, Search
Engines, Google Images, Social networks
The unique stream of targeted brand abuse that is delivered will help to:
Aid legal and marketing teams to quickly move against malicious use of brand
Brand dilution and devaluation: examples include unauthorized use of brands, logos claiming
partnership affiliation or other endorsements, or on sites with objectionable content
Brand Abuse Module Capabilities