Kansas City Terrorism Early Warning - PowerPoint PPT Presentation

Loading...

PPT – Kansas City Terrorism Early Warning PowerPoint presentation | free to view - id: 7930a7-YmY2Y



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Kansas City Terrorism Early Warning

Description:

Title: Slide 1 Author: Paul.Godlewski Last modified by: troymc Created Date: 12/1/2010 4:38:13 PM Document presentation format: Widescreen Other titles – PowerPoint PPT presentation

Number of Views:54
Avg rating:3.0/5.0
Slides: 85
Provided by: Paul7365
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Kansas City Terrorism Early Warning


1
Kansas City Terrorism Early Warning Inter Agency
Analysis CenterCyber Threat Information Program
Missouri City/County Managers Association CYBER
BRIEFING May 7, 2015
2
Recent Cyber Events
  • South Carolina DOR. 3.6 million SSNs stolen
    and tax returns exposed. ( Direct Cost 14
    million, User fraud loss 5.2 Billion)
  • Shamoon (aka Wiper) Steals credentials wipes
    boot record from 30,000 to 50,000 computers at
    Saudi Aramco and RasGas.
  • Banking DDOS against JP Morgan/Chase, PNC, Wells
    Fargo, Bank Of America. Total of 8 banks attacked.

3
Recent Cyber Events
  • TARGET ( 40 MILLION credit cards) and other
    retailers.
  • City of Wichita ( gt 60,000 vendor financial
    records)
  • 14 banks, 12 cities and 10 police departments
    disabled during the Ferguson unrest.

4
(No Transcript)
5
(No Transcript)
6
(No Transcript)
7
  • VIDEO 1

8
So What ?
  • Computer network exploitation by threat actors
    enables
  • Massive financial losses
  • Degradation/disruption of services
  • Extortion
  • Intellectual property theft
  • Counterfeiting
  • Theft of proprietary data
  • Identity theft (personally identifiable
    information)
  • Access to credit
  • Loss of money and credibility

9
Agenda
  • Threat Landscape
  • Actors (Bad Guys)
  • Attack types (Bad Stuff that Bad Guys do)
  • Vulnerabilities (The things that Bad guys attack)
  • Cyber Threats and Trends (The Future)
  • What Can You Do ?

10
EVALUATE YOUR RISK. THREAT VULNERABILITY
CONSEQUENCE RISK
11
CYBER THREAT LANDSCAPE
12
Cyber Threat Landscape
  • Cyber Threat Actors
  • State Sponsored
  • Terrorist/Violent Extremists
  • Insider Threat
  • Hackers
  • Hacktivists
  • Criminals / Organized Crime

13
Hacker Evolution
14
Hacker Evolution
15
Hacker Evolution
16
Cyber Threat Motivations
  • Notoriety
  • Political Statement
  • Money Banks, Credit Cards, Extortion, etc.
  • Intellectual Property / Trade Secrets
  • Information for Negotiating Positions
    (competitive advantage)
  • Infrastructure Attack Terrorism

17
Cyber Threat Motivations (Intent)
  Nation-State Terrorists Insiders Hackers Hacktivists Criminals Commercial Espionage
Fun/Curiosity/ Ego X
Money   X X X X X  
Retaliation/ retribution     X X X    
Political Statement   X     X    
Intellectual Property X   X     X X
Negotiation Information X           X
Deny, Disrupt, Degrade, Destroy X X X   X    
18
Cyber Targets
  • Government Networks
  • Federal
  • State
  • Local
  • Tribal and Territorial
  • Critical Infrastructure and Key Resources (CIKR)
    Networks
  • Over 85 owned by private sector
  • Industrial Control Systems/SCADA
  • Embedded systems
  • Business and Home Networks

19
Cyber Threats
  • Supply Chain Exploitation
  • Cyber exploitation, manipulation, diversion, or
    substitution of counterfeit, suspect, or
    fraudulent items impacting US CIKR
  • Disruption
  • Distributed Denial of Service (DDOS) attack
    (effort to prevent site or service from
    functioning efficiently or at all, temporarily or
    indefinitely)
  • Cyber Crime
  • Criminals seeking sensitive, protected
    information for financial gain

20
Cyber Threats
  • Corporate Espionage
  • Threat actors targeting US companies to gather
    intelligence and sensitive corporate data for
    competitive advantage
  • Advanced Persistent Threat
  • Stealthy, coordinated cyber activity over long
    period of time directed against political,
    business, and economic targets
  • Industrial Control Systems/SCADA
  • Threat actors disrupt ICS/SCADA based processes

21
Devices, Systems and Networks
  • Desktops/Laptops
  • OS/App
  • Servers
  • OS/App
  • Printers
  • Routers
  • VPN
  • DNS system
  • PSAPS
  • Public Notification Systems
  • Mobile devices
  • Household appliances
  • Televisions
  • Refrigerators
  • Baby monitors

21
22
Embedded Systems
  • Computers built into other systems
  • Examples
  • Digital X-ray Machines, Medical Devices
  • Computer Controlled Industrial Equipment
  • Automobiles
  • ATMs
  • Printer/copier/fax machines
  • The underlying computer is likely to have
    unpatched vulnerabilities because it is not on
    the System Administrators list of computers, or
    the system must be upgraded by the vendor.

22
23
Industrial Control Systems (ICS)
Controls processes such as manufacturing, product
handling, production, and distribution.
Industrial Control Systems include Supervisory
Control and Data Acquisition systems (SCADA).
  • Examples
  • Robotic assembly lines
  • Water treatment
  • Electric Power Grid
  • Building controls

23
24
Internet Connected Communications
Communications systems that are not typically
considered computer networks that are, none the
less, connected to external networks such as the
Internet.
  • Examples
  • Telephone switching PBX, VOIP
  • Emergency notification systems
  • First responder communications (Trunked
    voice/data terminals)

25
Targeting and Attack Techniques
  • Social engineering
  • Spear phishing
  • Spoofing e-mail accounts
  • Exploiting vulnerabilities
  • Malware
  • Downloaders, Trojans, Keyloggers, etc.
  • External memory devices (USB)
  • Supply-chain exploitation
  • Leveraging trusted insiders
  • Denial of Service
  • Mobile Device Attacks

26
Advanced Persistent Threat (APT)
  • Category of cyber attack against political,
    business, or economic targets
  • Federal agencies
  • State agencies
  • City governments
  • Commercial and non-profit organizations
  • Actors use full spectrum of computer intrusion
    techniques and technology
  • Characterized by focus on specific information
    objectives rather than immediate financial gain
  • Stealthy, coordinated, focused activity over a
    long period of time
  • Operators are skilled, motivated, organized,
    well-funded

27
Advanced Persistent Threat (APT)
  • Information objectives include
  • Govt policy/planning
  • Corporate proprietary data
  • Contract data
  • International meetings (G20, IMF, Climate Change)
  • Sabotage
  • Espionage
  • Use of compromised computers as intermediate hop
    points in future compromises

28
Advanced Persistent Threat (APT)
  • Methodology
  • Reconnaissance
  • Initial intrusion into network
  • Establish backdoor into the network
  • Obtain user credentials (login ID, passwords)
  • Escalate privileges, move laterally through the
    network
  • Search for and exfiltrate data
  • Maintain persistence

29
Advanced Persistent Threat (APT)
  • Examples of APT in open reporting
  • Operation Aurora Damballa
  • Finance, Technology, Media 30 Countries
  • LURID APT Trend Micro
  • Diplomatic, Government, Space-related agencies
    and companies 61 Countries
  • Nitro Symantec
  • Gas, Oil, Energy, Chemical Sectors 8 countries
  • Shady Rat Symantec
  • Governments, corporations, nonprofits, 14
    countries
  • FLAME Kaspersky
  • Mid-eastern countries

30
  • VIDEO 2

31
Cyber Threats and Trends
32
Trends
  • ENORMOUS increase in Cyber Attacks/Crime both in
    numbers and sophistication.
  • State sponsored attacks likely to increase.
    (Cyber Warfare is real now.)
  • Cyberweapon toolkits are common place utilized by
    not only state sponsored attackers, but by any
    entity with medium/high skills.
  • Cyber Crime As a Service is a full fledged
    business model.
  • Anyone can use point and click services to
    deliver a devastating attack.

33
Trends Nation-States That Have Declared
Offensive Cyber Capability
  • Iran
  • India
  • UK
  • China
  • Russia
  • U.S.A.
  • Australia
  • Italy
  • France
  • Syria
  • Germany
  • Israel

34
Trends
  • Hactivists / Jihadists
  • Alliances with ideologically similar groups
  • More Skilled
  • More Organized
  • More Aggressive
  • More of them

35
Trends
  • Cyber Criminals
  • Can occasionally approach the sophistication if
    not the endurance of State sponsored attackers
  • Adding much more emphasis to mobile devices.
  • Adds a physical dimension to the Cyber realm.

36
Trends
  • Shift in targeting preferences
  • State / Local
  • State networks
  • Local Municipalities / Agencies
  • FD, PD, Cities, NGOs
  • Universities, Colleges, Votech
  • Businesses

37
COMMON ATTACK TYPES / MITIGATION STRATEGIES
38
Attacks from outside the firewall
39
Big Three Most Common Attacks
  • DDoS Distributed Denial of Service
  • SQL-I - Structured Query Language Injection
  • Defacements

40
Commonly Seen Attacks
  • Attack Type (TTP Tactics, Techniques,
    Procedures)
  • What is it?
  • Who uses them?
  • Preferred targets?
  • Consequences?
  • Prevention / Mitigation.

41
Distributed Denial of Service (DDoS)
  • WHAT IS IT?
  • A DDOS attack tries to render a website either
    inoperable or inaccessible by using large numbers
    of computers sending overwhelming numbers of
    requests at a computer.
  • The target can become so busy trying to answer
    bogus requests that it cannot answer valid user
    requests and the website is unusable.

42
Distributed Denial of Service (DDoS)
  • WHO USES IT ?
  • Used to be well resourced adversaries (state
    sponsored, cyber crime enterprise)
  • More recently seen from Hactivists, (Anonymous
    Affiliates)
  • Anyone with 200 - 800 can rent a botnet with
    10,000 computers for a day to attack anyone.

43
Distributed Denial of Service (DDoS)
  • Examples?
  • During unrest associated with Ferguson MO
    shooting.
  • 15 Banking institutions
  • State, Counties, Cities, Police departments (at
    least 12)
  • Educational institutions

44
Distributed Denial of Service (DDoS)
  • Prevention
  • Cant be prevented Plan for it
  • Establishing connections with multiple ISPs.
  • Ensure that service level agreements (SLA) with
    ISPs contain provisions for DDoS prevention (such
    as IP address rotation)
  • Assure the network has redundant systems and
    sufficient excess capacity

45
Distributed Denial of Service (DDoS)
  • Prevention
  • Enable rate limiting at the network perimeter
  • Create backup remote site networks with multiple
    address capability
  • Segment web services across multiple machines and
    networks
  • Host public facing websites with ISPs having
    capability to withstand significant DDoS attacks

46
Distributed Denial of Service (DDoS)
  • MITIGATION
  • Executing ISP address rotation
  • Block source IP addresses that are generating
    DDoS traffic at the network boundary or within
    the ISP infrastructure. ( DDoS attacks can come
    from tens of thousands of addresses that rotate
    randomly, making this strategy difficult to
    implement.)
  • Acquire increased bandwidth from the ISP (This
    solution is limited by your own servers ability
    to handle the increased traffic.)

47
(No Transcript)
48
SQL Injection (SQL-I)
  • WHAT IS IT?
  • A form of attack on a database-driven Web site in
    which the attacker executes unauthorized SQL
    commands by taking advantage of insecure
    bypassing the firewall.
  • Used to steal information from a database and/or
    to gain access to an organization's host
    computers through the computer that is hosting
    the database.

49
SQL Injection (SQL-I)
  • Who uses it?
  • State sponsored, cyber criminals, Hackers,
    Hacktivists, Jihadists, Anonymous, script-kiddies
  • Very effective tools are freely available
  • Recipes for finding targets (call google dorks)
    are all over the open internet.

50
SQL Injection (SQL-I)
  • Local Examples?
  • KCKPD
  • Release of Accident records and related personal
    information
  • Wichita
  • Release of vendor/personal financial information

51
SQL Injection (SQL-I)
  • Prevention
  • Limit databased services
  • Assure all applications and operating systems are
    patched to current level
  • Keep an eye for announced vulnerabilities
  • Dynamic monitoring at the firewall or application
    server
  • Threat detection services
  • Applications configuration security ( Passwords
    )

52
SQL Injection (SQL-I)
  • MITIGATION
  • Watch for breach announcements
  • Notification process
  • Prevent further breaches (turn off access till
    its fixed)
  • Aggressively pursue disclosures
  • Where applicable, get outside help (FBI, DHS,
    USSS, Commercial services)

53
DEFACEMENT
  • WHAT IS IT?
  • Any unauthorized changes made to the appearance
    of either a single webpage, or an entire site. In
    some cases, a website is completely taken down
    and replaced by something new.

54
DEFACEMENT
  • Who uses it?
  • Plethora of Jihadists
  • Anonymous Affiliates
  • Syrian Electronic Army
  • POH (Plain old hackers)

55
DEFACEMENT
  • Examples?
  • Akron OH
  • Marines.com
  • Huffington
  • MO.GOV
  • Check out www.zone-h.com (database of 180,000)

56
(No Transcript)
57
(No Transcript)
58
(No Transcript)
59
DEFACEMENT
  • Prevention / Mitigation
  • Keep Server systems and CMS apps up-to-date
  • Better passwords
  • Dont share system accounts outside organization
  • Reputation monitoring services
  • Good backups

60
Attacks That GetThrough The Firewall
61
APT The Really Bad Stuff
  • Computer network exploitation by threat actors
    enables
  • Massive financial losses
  • Degradation/disruption of services
  • Extortion
  • Intellectual property theft
  • Counterfeiting
  • Theft of proprietary data
  • Identity theft (personally identifiable
    information)
  • Access to credit
  • Loss of money and credibility

62
Computer Network Exploitation
The Bad Guys are INSIDE the computer now.
  • (Try to stay on the left side
  • of the Cyber Kill Chain)

63
Spear-Phishing
  • Targeted e-mails containing malicious attachments
    or links
  • E-mails forged to look as if they came from a
    legitimate source and have a subject that the
    victim is likely to open.
  • Target e-mail addresses can be harvested from Web
    sites, social networks, etc.
  • Targeting of CEOs, executives is called
    whaling.

63
64
Sample Phishing Website
(Via fsecure.com)
64
65
Sample Phishing Website
Compromised police academy server in India
(Via fsecure.com)
65
66
(Via nytimes.com)
66
67
Prevention
  • Constant Education
  • Information Sharing between agencies
  • OPSEC
  • Cyber Hygiene
  • PASSWORDS!!!!!!!!!!!!!
  • Response plans
  • Cyber Tabletop Exercises
  • Test Your Capabilities
  • Figure Out Roles and Responsibilities

68
What is your plan?
  • How to recover?
  • WHO ?
  • COST ?
  • How to mitigate
  • CRITICAL SERVICES
  • How to deal with the public
  • PUBLIC CONFIDENCE
  • LIABILITY

69
EVALUATE YOUR RISK. THREAT VULNERABILITY
CONSEQUENCE RISK
70
WHO CAN YOU CALL?
  • Fusion Center
  • KC Regional Terrorism Early Warning
  • Cyber Threat Intelligence Program
  • kctew_at_kcpd.org
  • (816) 413-3588
  • Missouri Information Analysis Center
  • St Louis Terrorism Early Warning

71
(No Transcript)
72
(No Transcript)
73
NFCA Cyber Threat Intelligence (CTI) Subcommittee
NFCA Cyber Intelligence Network (CIN)
AK
WA
MT
ME
VT
ND
OR
MN
ID
NH
NY
WI
MA
MI
SD
WY
RI
CT
PA
IA
NE
NV
OH
NJ
IN
UT
DE
IL
CA
WV
VA
DC
CO
KS
KY
MO
MD
NC
TN
AZ
SC
NM
AR
OK
AL
GA
MS
LA
TX
FL
74
WHO CAN YOU CALL?
  • The Department of Homeland Security (DHS)
  • The National Cybersecurity Communications
    Integration Center (NCCIC)
  • The U.S. Computer Emergency Readiness Team
    (US-CERT)
  • The Industrial Control Systems Cyber Emergency
    Response Team (ICS-CERT)
  • The National Coordinating Center for
    Telecommunications (NCC)

75
WHO CAN YOU CALL?
  • The USSS US SECRET SERVICE
  • Your Nearest field office usually has a local
    Electronic Crimes Task Force
  • Has Critical Incident Response Teams

76
WHO CAN YOU CALL?
  • The Federal Bureau of Investigations (FBI)
  • Your Local FBI Cyber Division
  • FBI CyWatch
  • FBI Critical Incident Response Group (CIRG)
    Strategic Information and Operations Center
    (SIOC)

77
WHO CAN YOU CALL?
  • KC Regional Terrorism Early Warning
  • Cyber Threat Intelligence Program
  • kctew_at_kcpd.org
  • (816) 413-3588

78
Discussion
79
  • Contact
  • Troy Campbell
  • KCTEW
  • Cyber Threat Intelligence Program
  • tcampbell_at_kcpd.org
  • (816) 413-3588

80
(No Transcript)
81
(No Transcript)
82
Cyber Information Sharing Issues
83
Cyber Information Sharing A Challenging Process
84
Issues in IntelligenceInformation Sharing
  • No Cross Community Standards
  • Formats
  • Flow Paths
  • Classification Downgrades
  • Identity requests
  • Standard terminology
  • Two-way information Flows
About PowerShow.com