Ground Zero Financial Services: The Latest Targeted Attacks from the Darknet

and we're just about ready to begin um this is Jonathan Curtis uh Ground Zero Financial Services the latest targeted attacks from the dark dark neck Round of Applause for Jonathan Curtis and thank you very much uh just a little bit of background started my career at uh Bell Canada I did ISP Safety and Security there for 13 years then went to uh nominum a DNS vendor uh here in the valley uh and then I worked four years in federal law enforcement at the crtc uh enforcing the new uh candidates Annie spam law malware Etc as director of uh intelligence there and rounded it out here now I'm back in the private sector working for nors so just uh I have one vendor slide

and I do apologize for it so I'm going to probably skip through it quickly so nors uh has a massive sensor network uh roughly 8 million odd sensors that's how we collect our data uh we also collect net flow data uh we operate as 16 different cutout companies around the world uh we're Global in nature not as much I'm going to say there um so let's think about the his history of sort of finance and what was and what is today uh back few years back um and and before I get too far into it I know some of you have just been through a statistical uh you're all stats experts now I do have uh one pie chart and I do

have one bar chart uh but the numbers are accurately represented so I I checked a few things to make sure the audit Trail is clean uh the C the consumer wallet really was bombarded with attacks fishing attacks massive onslaughts of attacks um um and this is really the early days where IP blocking was really simple um but really it was the consumer on their own kind of fing for themselves a garden hose and a grass fire kind of thing the good news is um open DNS fish tank AP apwg and a number of uh Grassroots initiatives some of which MOG which I've been involved with um had had really kind of pushed the scence a

little bit by protecting consumers isps I I'd hate to miss out on that social networks Etc have all invested massively not just in money but in people time energy um to really help Drive the industry around trying to protect the consumer so we have had a bit of a shift around the Pure Play fishing um based on these uh some of these efforts over the last few years um this is not my my chart it's from apwg but but I figured it was relevant in terms of the just seeing the the shift in the in in the um in the trends um and really sort of showing you know um through through the last three four

years it's kind of dipped and then it's back up but it overall down a little bit but it's still um it's it's it's good news uh there's still persistent attacks in the space obviously um but the misg grants are moving and and they're moving in our sense and what we're seeing in our in our in our networks is more targeted uh more specific moving from the consumer wallet to sort of the bank fault so you know trying to compromise banking infrastructure and that's a lot of what my talk is going to be today so the to complicate matters a little bit um content distribution networks uh tour i2p and and other uh hosting infrastructure um um make it difficult

not only for uh law enforcement but cyber analysts to uh just to get to the root cause of the problem and if you thought that was complicated it gets a little bit more complicated when you start entering into the space of uh some of the zero day and Etc I think you're all experts in this space or at least um not you know hobbyist at worst maybe and you get this you've seen this uh these types of slides and this type of problem getting more complicated um maybe less volume but much more complicated and to top it off um we're seeing the state actors get involved uh Russia seran electronic army China Iran um and so where you're seeing hacker by

day state sponsor by night or reverse that um we're seeing those Trends in our data and what we're also seeing is um just to paint the landscape a little more is sort of an inside out where you've got the uh attack surface growing you've got the some some insiders um whether it's state sponsored activities that turn political what I mean by that is really you'll get a a statement by say Barack Obama um targeting say Iran or or North Korea and then the onslaught will hit UK Banks it'll hit US Banks because they want to hit where they can do Financial harm and this by the way this presentation is meant to be interactive we're going to

get into uh dark Nets in a few moments but what we're also seeing is the ability to um not only just do a Dos attack but while the Dos attack is happening in the resources to uh to combat that are are taken over there's a tsunami of uh there's a tsunami that comes in and wipes out other tracks if you will uh by busying out uh resources or or by uh having um uh a second secondary waves of attacks that take place during Peak periods or on weekends this is really not much different than spammers back in the you know early mid 2000s uh where they would attack on the weekends because they knew CIS admins

were away so the result really is keep calm your data is gone right but is it gone did it go over to maybe Tor right in the case of Sony uh their data I believe is still up on tour 113 terabytes of compressed data um or did it go to one of the more recent threats or although this protocol was I believe invented in 2002 uh starting to rear its um rear its head a little bit in the sense that Tor is being maybe less trusted by the miscreant so you know trying to keep track of say where your data is gone once it is gone is a little bit difficult so who here has done um

investigations involving dark Nets okay uh and in terms of uh level of difficulty you know there aren't there aren't the usual signs that maybe point you in places there aren't the usual um it isn't the this easy searchable uh Network or or or or hosts on networks um whereas you know an open source investigation it gives you a lot there's a lot more of a trail in in play um and so I guess what I'd like to get into is uh some of the statistics that we've seen um I've got um some of the I'll give you an overview of what we're seeing in the banking industry then I'll get into a few case studies uh

it's meant to be somewhat interactive and then I'm going to I'll walk you through um some proactive steps I don't have time today to do all of the um proactive steps that you could take but I'm going to do a deep dive on honeypots at the end um it went over well at uh DCC where I where I spoke a few months ago and I hope uh that we have the same type of reaction here so what we're seeing across the three uh three countries is really an increase in in in and I want to be uh precise here based on your previous schooling that you had in the last session um you're seeing an increase

proportionately of banking infrastructure in each of these countries increasingly uh um coming on to our list so their their corporate networks the networks their partner networks Etc are hitting our our sensors uh which is really the smoke to the fire okay so we're seeing an increase in that space and I'm going to get into more specifics exactly what that means but um and this is in the first quarter uh and the different um the different colors in the graph represent uh the the the increase uh sorry the different colors represent each month and if you do add these up they will come up to 100 so uh I was kind of happy about that and

so here's my part pie chart which also has um percentages that add up to 100 I think I get I think I get extra points for that um the interesting thing here is really that the banks um when they're getting into our data when they're hitting our sensors the increase is really around botn Nets and then there's little decreases against the other smaller categories that we have here these are more tenacious categories by the way a botnet infected Bank employee is pretty common practice whereas when you get a proxy that's sitting there this is by the way behind their corporate firewall this is this is data we're seeing coming from IP addresses that are owned by Banks okay so in terms

of all events what we've seen for q1 uh this year is really a a large percentage of them are Bots and no no real uh surprise there um but really when you compare it against the banks they're they're there're about a 5% increase there so there is some targeting in terms of Bot Nets against Banks um um as common play um because uh proxies and other types of malware that come out of a bank are much more noticeable I mean you're talking about a a corporate infrastructure where there's firewalls and whatnot that will catch a lot of the uh a lot of the miscreant play uh ahead of schedule where we see um the biggest exposure for banks are

some of the banks that have done Acquisitions so they're acquiring they're making changes whenever you make changes you tend to make some mistakes and that's where we're seeing um we're seeing a bit of an uptick in in certain certain areas certain Geographic areas particularly uh there were some stuff that happened in South Africa uh earlier earlier last year and then again uh late late in the year so to get into specifics what we're also seeing is uh when a cve when a common U when a vulnerability is announced the the time it takes to go from a vulnerability to being an exploit in this case here we saw um we saw the proof of concept in

mid-February um uh the cve was published on the the 17th of February and then we saw uh the the this IP address here uh hitting hitting not not our sensor but our actually our customer so we're we're seeing it a lot in the network uh the exploit take place now that's you know four give it six weeks what have you uh call it five just to saw it off but that that's really not not as as juicy of a story as the next one I'll give you but uh and and by the way if you're rushing to write down any of these IPS you can hit me up and I'll send you um some IPS

of interest for you including the ones that are here so uh sorry these are those are the logs so really the what we're seeing also pick up is the the velocity so whether it's the the you know the capabilities within the hacker community misg greant community state sponsored Community um although I'd argue that's not quite a community it's more of a entity um where we're what we're seeing is the time from uh the announcement of the exploit to uh proove concept code is shortening and it's shortening rapidly in this next example um we've got an SQL injection um and within two hours of it being announced we saw in a live customer Network and in our sensor Network

attacks uh from this particular IP here uh based in the Netherlands uh and so the the speed of these types of attacks are are is is uh is of concern uh the ability the tool set that is available to to uh to the uh criminal entities and the state sponsor entities is uh is astonishing so this week uh to get into the third uh case study is really the Microsoft IAS exploit you've probably maybe heard uh that's been released We Believe will start seeing some some attacks uh in that space uh in the in the short term yep

sorry on this particular one I yeah thanks because I didn't have the answer to that well just be honest with

[Laughter] you uh so what's that for ing um you know some of the things that are happening really this isn't new when it comes to criminal right back in uh the early 30s with Bonnie and Clyde uh they had access to Banks they had access to highways right and they had access to really crappy laws uh the FBI uh got involved in 1934 when bank robbery and kidnapping became a federal offense and I'm not saying the laws need to change particularly to fix this problem we're having a lot of a lot of international cooperation uh particularly between uh the FBI and other countries to try and bring these uh these actors down what I'm saying is that uh within the

industry it makes it it makes it difficult to uh communicate at the high speed of rate that at the high speed that the transactions are happening soly you know you get an exploit and a minute later you're seeing it it being fact um you know it's pretty hard uh to share the data at that wire speed now uh uh cous of say uh some of the FSI sacks some of the uh Ren sacks uh Facebook announced its threat uh share there's uh there's certainly a movement I apologize if there's others that are out there that have that have started uh sharing data at that sort of more closer ethernet speed maybe um but that's certainly the

adapt the we have to ad adapt to try to uh curb this problem and so I'd like to talk to you before I jump into the the honeypots um are there any any questions regarding any other any other questions on the data I was expecting somebody to nail me on the pie charts or something but anyways okay so honeypots um I want to talk uh a little bit about my experience with honeypots and and what I've used to to try to uh improve consumer safety Internet safety Etc in the space uh the most recent one that I built was uh back in October I launched one with the crtc it was 1500 phone numbers spread across

uh Canada we had every major carrier donate 100 numbers which in reality isn't a lot of numbers there's available 390 million phone numbers in Canada and we had 1500 uh albeit you divide the 390 and half let's just say it's a 100 million available phone numbers um what we saw was the first day we turned it on within hours within hours we had a telemarketer SL scammer calling the Honeypot so it doesn't take a lot of uh a lot of Honey tokens let's say a lot of Honey pots a lot of infrastructure to garnish realtime Intelligence on your attacker so uh with that we actually had two live cases um that uh the Honeypot uh because we have the ability to the

ability to do um better investigations based on the data that comes back from the honeybot you can tell volume you know if uh an attacker is just sequentially dialing through the numbers for example Etc um the takeaway there would be you probably wouldn't hurt to have a few Honeypot numbers for your own organization it's not that expensive especially if you're on VoIP and then monitor that to see who's trying to uh call your employees and maybe uh do bad things to your people so the other types of honeypots that we've run would be say domain uh IP type uh honeypots bogon uh RC 1918 if you're running a corporate Network you definitely should be running uh an A B

ban honey Potter uh RC um 1918 to see if anyone's trying to communicate out there you'll catch a lot of early warning a lot of early early staged uh attacks and the next thing you can do is start looking at and I believe that open DNS bought bgpm a few weeks ago so uh bgp monitoring um certainly a good idea uh you don't know who's trying to hijack your IP space it's not so much a Honeypot but it's it's sitting there data that's just waiting for you to mine it right you get in there you can see uh whether or not you're under attack for for hijacking like that uh if you have net flow it's very valuable um I suggest

that you look at some of the stuff that William soli wrote uh actually I think it was I think Williams lui's got some stuff but uh he's got stuff on um uh replacement for wire shark uh molok I believe it's called and you could you can run you know packet sniffers and and net flow data and try and Munch that together and get a sense of your uh vulnerabilities in that space so then you can get a sense of also historically without a lot of data uh certainly it's going to take some data but it's summary data and it'll give you good insights around a sampling rate of what's happened on your network and it really puts you in the in

the control Channel I'm not sure if you're familiar with the control Channel or not but uh really in say DNS or IP routing bgp those are really really control protocols if you think of them that way they control where you're going to go right and so the I believe that just in summary of this this slide here I believe that you're re really your int the intelligence is a lot closer to you than you think there's things that are in your network today you could turn on low cost uh you know do it in a lab first uh don't just go off and start you know uh uh don't Don't just run off and and

build out things on a production Network to can run this stuff in a lab and you know really uh flow through it with some uh methodology um as I mentioned there's other things you can look at as well uh hunting tokens user IDs uh you can look at building out say fake DMZ use a hardware that's about to be decommissioned you could put that in place so that you can um garnish uh you know some of that intelligence around you know lighting up uh and network that you can see people knocking on your VPN if you don't have VPN doy yourdomain.com today create it and see what happens see who starts knocking on the door right um

one other thing that that tends to skip past uh your your you know one one one item I think that it needs a little bit of attention that that I actually personally haven't put as much as I'd like to would be say um exit interviews I'd like to think about how we could use uh some kind of token or something with people that leave a company because there's a lot of damage that can be done just before they leave and after they leave uh so it's really key I think uh for The Insider threat to have something in place I don't know what that is yet um does anyone have any thoughts around what you could do and an employee that's

about to leave and maybe push your date off to say a proxy or a tour or a Anonymous FTP site or something like that does anybody have any thoughts around that you have like USB policies or you know no Barry yeah nice that's cool yeah the other thing too is I noticed on a I'm not going to say which company I was working for but there was a a high ranking official that had their their um their Outlook uh PSC file on a network share which I thought was kind of a little bit crazy um you know for employees if they were going to take something that would certainly be pretty juicy so I've I've kind of I've skipped

pretty quickly through the presentation to be frank with you but um some of the asks I just uh I would like to kind of go go through I was hoping to uh to hear more from the crowd on some of it but that's okay uh is really I think that there's a need uh first and foremost to do some sharing um you need to share information where you can in in um forums or uh close groups that you can share data in trusted groups I guess is probably a better word that you can share data on uh where you can automate um you should try and do some automation some of the things I mentioned around creating honey

pots in certain places uh like a VPN Etc you should try to build maybe and then move it around and POS reposition those honey Pots if you can um you should publish uh we published um all the work that we did on the The Voice honey poot uh we published through MOG uh so there's a a best practice that I wrote with um a few folks Alex bch from AT&T um and a few folks from Georgia Tech on running boy honeypots uh so there's a lot there for you uh you should think about consuming uh data whether it's you know over an API restful API or some sort of machine readable some way to share it I think uh

Facebook's put some thought around this uh certainly the uh the isacs through sticks and taxi Etc are looking at it uh it's really going to say and why you do it is you know you're going to try and save some time you're going to try and save some money you're going to move faster um you're going to you're going to scale uh you probably can scale at wire speed at that point and then you'll be able to react faster as well and I'm I'm probably maybe yep you talked about the time between CVS being released and when you actually implemented you you talked about the the decrease in time primarily is that just because when you talk about

an SQL type exploit that class that it's it's more well known people are probably going to be able to learn about it and and identify how to implement that kind of attack versus something a little more detailed requires a little more expectation take more time tolyo yeah I think it comes down to a few things one would be the amount of information that's made available to the misg grant so you know how much detail is in in the uh the exploit and triggering that uh another would be uh the trade craft as you mentioned do they have you know working knowledge of the protocol can they uh quickly get some Co copy paste code and start doing

something with it um you know there's I guess a number of factors I think money is probably the biggest motivator or or harm economic harm depending on you know if you have enough resources you can shorten the that window down uh by having the enough resources in the space and of course then they ALS they're also running these protocols already natively in their own Labs right so they can you know the capabilities are

there FBI Industries and there's you know especially post people are not got all but the complaint most folks are well the FBI give it back share so now they're trying again AL they're try to get the industries to talk themselves you see that happen the indries still that holding back they don't want to yeah my PS are down right got yeah so I I probably in position fairly well to answer that question because I came from federal law enforcement now I'm back in the industry and I've been back and forth between the two and so um I'm going to take it apart in two places here so in the within the industry I certainly participate and

work with um a number of uh industry experts in Sharing data I believe that's working at probably 80 90% right now it's it's quite quick it's actually worked fairly well from 99 or 97 or whenever NSP SEC came along uh it that that seemed to work fairly well It's Tricky though to as I mentioned that with the threats moving as quickly as they are the actual protocols to share the data with it's over email it's a little harder because not everybody reads the email they filter whatever right um it needs to be I think more machine machine machine to machine type uh sharing so in the industry I believe that there I would say in my 20year history of of watching

this uh it's it's a solid 8 % when I compare it to governments it's better be uh when you cross the international border there just seems to be a little more collaboration that happens a little more willingness maybe it's people that just want to travel I don't know but uh and that was a dirty shot and I didn't know it but

yep sure so um I would say that at a high level I'm going to skip back up because I may have gone through it a little quickly [Music] um so I talked speed I talk uh okay so in terms of their their infrastructure becoming um apologize I'll pull this over here so I can see you uh their infrastructure becoming more compromised as a dark net so if they're if their infrastructure is um it's showing up on our sensor Network and it's growing as say botnet for example um and disproportionately to the to all other events that we see let's talk about botnet for a second it it's it to us it's a it's a key

indicator towards uh the fact that they're they are you know if they're showing up hitting our sensors which our sensors aren't trying to you know extract or you know EX still data from their Network we've just put these sensors out there and they're they're hitting Those sensors um that's where there's smoke we believe there's a fair amount of fire um so meaning that uh and not not to try and be a fearmonger because that's not my goal my goal here is really to try and give you uh facts understanding and discussion but uh I think that with that uh with the with botnets and say uh proxies and I'll just go back a little bit more here we go

so the good the good news though not to you know the good news so there's good and bad here the good news is that it is botn net but as you know botn Nets can be used to uh for a variety of purposes um the other thing is that it really is is more of a sort of the proxies and whatnot is is much is it's half of what the Norms are so you know I I attribute that through to the the fact that I believe that I mentioned earlier that the the corporate networks are better protected better hidden um so the other thing that we're seeing and I met the two zero days that

I talked about those were those actually happened on FIS um those were real live cases ones in the UK ones here in America I'm not going to get into the names of the companies but um also doing other stuff in insurance companies which blends into FIS and seeing that as they grow and as they move as I mentioned the the that growth really uh opens them up uh for uh attack um because the defenses are down and so when I look at an insurance companies particularly aren't as tied in to say some of the FIS are not as closely in there maybe less less regulated I'm not sure the the reason but we're seeing a higher uptick and I'm

sorry I don't have the the slides and the graphs to to uh do it but I've done the analysis myself the insurance companies and it's it's um it's alarming I wouldn't say it's scary but it is alarming that that even it would be interesting to see Banking and Financial and then see Insurance beside that I believe that they're less

positioned talk

infection yes so so it's two things two or three things so we see the net we have uh core infrastructure routers in Russia and other country like China Etc we see net flow data that shows that beaconing happening yes we also see them connecting to us um to our infrastructure in country um trying to either uh making making those making those connections I guess to whether it's a a fully uh full handshake connection or just a ping out so we're seeing it not not only just on um your traditional uh let's say botnet but we're also seeing VoIP uh the the unprotected area within the corporation I would say a few of them would be web

services VoIP uh email is fairly fortified at this point it's fairly guard although it's still a major channel for I don't want to underestimate how much email means you know I'm an old email hack myself but uh you know those are kind of the I guess the the key threats really we're couple of the key threats we're seeing because they're just kind of left right they go off they do some splashy new uh website and and they leave the they don't go back and Patch it or something to that effect right like look at this IAS uh vulnerability we believe that that will be a Target because a lot of banks use IAS and some of their infrastructure

most of the banks though will be any of the more serious Banks they'll actually have aami out there uh giving them one layer protection um and then they'll have you know multiactor authentication Etc what I was saying earlier is the the miscreant are more more likely to Target the it administrator of the bank and not so much the customers of the bank that was the point I was trying to make with the Vault and stuff like that yep

yeah

yeah yeah I was going to do a breakout for uh was it uh dryex I believe it's called the latest one um but you know just the lines start to get really blurry to be honest with you I mean the names change so quickly um that just but just to answer your question uh I probably could get you a much more detailed uh slide and we'll do so uh if that's okay um but I will take that away as a as a takeaway yeah sry my lack of

understanding sure yeah that's yeah so botnet would be sort of your generic like SQL injection uh botnet command and control systems uh your traditional I guess uh botnet traffic um whether it's say dos traffic or uh could be these are just a bunch of examples uh you know um we saw we saw it connect to a command and control system for example for say um a zoo spotter it's for a you know um I threw dry deex in there but it would be in this category here when I talk about server attempts we are operating 6,000 different applications in our sensor Network so we will see attempts against our servers whether it's an SQL injection from

from yeah right so if I see you connecting to command and control system that's more or less you're going to be more likely to be a bot if I see you connect to one of my servers and make an attempt to try to hack it whether it's SSH whether it's telnet whether it's uh remote desktop or something to that effect then it's server attempts proxies um we're seeing them either try to facilitate say a reverse proxy or we're seeing them try to do some some form of proxying uh proxying being you can make a connection and kind of passively get through into the network right and then also uh allowing that sorry that traffic they we may have seen it come out as a

uh toxit note as well we may see that that that IP address try and operate as a t Exit node okay we're operating 5,000 tour nodes and emulating 20,000 tour users so we see that type of traffic uh web malware this is uh drive by malware this could be um yeah this could be their website so some banks you think oh wow that's just one domain right they just if you take a look at say domain tools and look up a handful of banks you're going to see that a lot lot of them have on average over a thousand domains Associated to themselves right so what I'm saying here is that some of those domains get

compromised and they they end up hosting malware off of the off the bank site is that help okay so I did want to uh take the time to um apologize for having to go through the slides again like that so thank you to open DNS if we could get a round of applause for open DN us uh and the the other sponsors um we're a vendor maybe next year actually one of the later ons uh I think in Ottawa where I'm from uh we'll try and sponsor um also would like to thank the volunteers uh and I would like to thank you the participants uh thank you very much