1. Lecture 4b: Cases study IT attacks (2/2).
CCD course
Lecture 4b: Cases study IT attacks (2/2).

2. Material Underlying material: [OBLIGATORY READ!]
[literature: the last two Internet Security Threat Reports by Symantec]
Branch, Federal Network Resilience Cybersecurity Assurance. Unintentional Insider Threats: Social Engineering. (2014). Only the sections: 3, 5, 6.1, 6.2, 6.3 Available at

3. 2018 Internet Security Treat Report (part 1)
Executive Summary
With each passing year, not only has the sheer volume of threats increased, but the threat landscape has become more diverse, with attackers working harder to discover new avenues of attack and cover their tracks while doing so.
UP:
Coin-mining attacks explode
Spike in software supply chain attacks
Mobile malware continues to surge
DOWN:
Ransomware business experiences market correction
Drop in zero days can’t halt the rise in targeted attacks

4. As opposed to 2017 (part 1) Targeted attacks: Subversion and sabotage
Attacks against the US Democratic Party (APT29)
Cyber attacks involving sabotage have traditionally been rare
Financial cyber attackers chase the big scores
Until recently, cyber criminals mainly focused on bank customers, a new breed of attacker is targeting the banks
Resurgence of as favored attack channel
One in 131 s were malicious, highest rate in five years.
Ransomware escalating demands
Avg ransom demand in 2016: $1,077, up from $294 in 2015
New frontiers: IoT and cloud move into the spotlight
DDoS

5. As opposed to 2017 (part 2) Living off the land
Attackers ranging from cyber criminals to state-sponsored groups have begun to change their tactics, making more use of operating system features, off-the-shelf tools,
“Living off the land”—making use of the resources at hand rather than malware and exploits—provides many advantages to attackers.
Identifying and exploiting zero days has become harder as improvements in secure development and bounty programs take hold.
Web attack toolkits have fallen out of favor, likely due to the effort required in maintaining fresh exploits and a backend infrastructure.

6. BACK TO 2018

7. Coin-mining attacks explode
This coin mining gold rush resulted in an 8,500 percent increase in detections of coinminers on endpoint computers in 2017.
With a low barrier of entry
As malicious coin mining evolves, IoT devices will continue to be ripe targets for exploitation. Symantec already found a 600 percent increase in overall IoT attacks in 2017, which means that cyber criminals could exploit the connected nature of these devices to mine en masse.

8. Spike in software supply chain attacks
Despite the EternalBlue exploit wreaking havoc in 2017, the reality is that vulnerabilities are becoming increasingly difficult for attackers to identify and exploit. (see also living off the land)
In response to this, Symantec is now seeing an increase in attackers injecting malware implants into the supply chain to infiltrate unsuspecting organizations, with a 200 percent increase in these attacks
Two types
Target the “maintenance guys”
Target the software update

9. Spike in software supply chain attacks (2)
Motivation for attackers:
01  Infiltration of well-protected organizations by leveraging a trusted channel
02  Fast distribution: number of infections can grow quickly as users update automatically
03  Targeting of specific regions or sectors
04  Infiltration of isolated targets, such as those in industrial environments
05  Difficult for victims to identify attacks as trusted processes are misused
06  May provide attacker with elevated privileges during installation

10. Ransomware experiences market correction
When viewed as a business, it’s clear that ransomware profitability in 2016 led to a crowded market with overpriced ransom demands.
In 2017, the ransomware “market” made a correction with fewer ransomware families and lower ransom demands—signaling that ransomware has become a commodity.
The average ransom demand dropped to $522, less than half the average of the year prior.
The number of ransomware families dropped, suggesting they are innovating less and may have shifted their focus to new, higher value targets.
Many cyber criminals may have shifted their focus to coin mining

11. Drop in zero days can’t halt the rise in targeted attacks
This is a very interesting one:
overall targeted attack activity is up by 10%
90% by intelligence gathering.
10% some form of disruptive activity.
The “Living off the Land” trend continues with attack groups opting for tried-and-trusted means to infiltrate target organizations.
#1 infection vector: spear phishing (71%)
The use of zero days keeps dropping. In fact, only 27 percent of the 140 targeted attack groups that Symantec tracks have been known to use zero-day vulnerabilities at any point in the past.

12. Mobile malware continues to surge
The number of new mobile malware variants up 54%
an average of 24,000 malicious mobile applications blocked each day.
the problem is exacerbated by the continued use of older operating systems.
Mobile users also face privacy risks from grayware, apps that aren’t completely malicious but can be troublesome. Symantec found that 63 percent of grayware apps leak the device’s phone number. With grayware increasing by 20 percent in 2017, this isn’t a problem that’s going away.

13. Predictions for 2018 (1 of 3)
Mid-tier mature cloud providers will likely see the impact of the Meltdown and Spectre vulnerabilities
Part of the “race to the bottom”
Meltdown and Spectre can affect all kinds of computers, but the most worrying possible impact is in the cloud, because an attack on a single server could lead to the compromise of multiple virtual machines running on that server
WannaCry and Petya/NotPetya may inspire new generation of self-propagating threats
Worms enjoyed their heyday around the turn of the century. E.g. Slammer in Until May 2017, it seemed unlikely that another threat could cause global disruption in the same way.
That all changed with the arrival of WannaCry and Petya/ NotPetya. Both threats were capable of self-propagation largely because they used the EternalBlue exploit.
Attackers will no doubt have noticed how effective both threats were. EternalBlue’s usefulness may be exhausted at this stage but there are other techniques that can be used.
We haven’t seen this

14. Predictions for 2018 (2 of 3)
IoT attacks will likely diversify as attackers seek new types of devices to add to botnets
While IoT attacks weren’t in the headlines as much in 2017 as they were in 2016, they certainly haven’t gone away. In fact, attacks against IoT devices were up by 600 percent last year.
Some IoT attackers have already started looking beyond routers and have begun to target other connected devices in a serious way.
Coinminer activity will likely continue to grow but will increase focus on organizations
Although the immediate rewards may ostensibly seem lower, coin mining offers a long-term, passive revenue stream if the miners can remain undiscovered for longer. We believe that coin-mining activity will increase in the mobile space into 2018 and beyond. We saw an uptick at the end of 2017 and if this proves lucrative, it may grow.

15. Predictions for 2018 (3 of 3)
Attacks on critical infrastructure likely to step up in 2018
Attackers have been exhibiting a growing interest in critical infrastructure in recent years and the scale and persistence of these attacks is now reaching worrying proportions.
Our latest research on the Dragonfly group found that it has continued to target the energy sector in Europe and North America
These attacks would likely give Dragonfly the ability to sabotage or gain control of these systems should it decide to do so. However, it seems unlikely that any group would go to these lengths unless it was prepared to launch disruptive attacks. Nonetheless, there is a real risk that at some stage soon, Dragonfly’s masters may decide to play this card.

16. Targeted Attacks 3 new targeted attacks groups every year
90% intelligence, 10% disruptive

17. INSIDER DANGER

18. UNINTENTIONAL INSIDER THREATS: SOCIAL ENGINEERING
Only the sections: 3, 5, 6.1, 6.2, 6.3

19. Definition of unintentional insider threat is
(1) a current or former employee, contractor, or business partner
(2) who has or had authorized access to an organization’s network, system, or data and who,
(3) through action or inaction without malicious intent,
(4) unwittingly causes harm or substantially increases the probability of future serious harm to the confidentiality, integrity, or availability of the organization’s resources or assets, including information, information systems, or financial systems.

20. Taxonomy of Social Engineering

21. Procedures one or two stages

22. Case 1 of 3 (from the book “Targeted Attacks”)
INDUSTRY: Information and telecommunication
STAGING: Single
INCIDENT: Attackers sent an innocent-looking to news service staffers urging them to click on a link to an important article on another news organization’s blog that, unknown to the victims, would infect their computers with malware. The malware allowed the hackers to capture passwords to the news service’s Twitter account.
BREACH: Access to the news service’s Twitter account allowed the attacker to send an erroneous Tweet warning of two explosions in a government building.
OUTCOME: Within minutes, the bogus story had a brief but very real effect on the stock market, causing it to drop significantly. This stock market loss was made up after the story was confirmed to be false.
This was the second widespread social engineering attack on the news service, which had implemented extensive training after the first.

23. Case 2 of 3 INDUSTRY: Computer manufacturer STAGING: Single
INCIDENT: Malware to attack computer manufacturers was spread through a website for software developers. The website advertised a Java plug-in that could be installed on desktops.
BREACH: A few employees of one reported company installed the so-called Java plug-in, which was in fact cleverly placed malware. The incident affected a small number of systems.
OUTCOME: The manufacturer worked with law enforcement to find the source of the malware. The manufacturer’s native antimalware software was able to catch the malware and isolate it. .

24. Case of a two-staged attack
First stage: “general purpose” phishing aimed at people who have little security training.
Eg: (from )
Then reconnaissance (gathering of intelligence for the second stage)
Second stage: customized spear-phishing to the executives.

25. Case 3 of 3 INDUSTRY: Banking and finance, manufacturing
STAGING: Multiple
INCIDENT: The phisher impersonated the company's bank, requesting information to address security concerns. The insider clicked on a link in a phishing and entered confidential information.
Stage 1 - phishing to multiple bank customers
Stage 2 - spear phishing to executives with likely wire-transfer authority
BREACH: The disclosure included credentials and passwords that enabled outsiders to transfer funds to accounts in several countries.
OUTCOME: The bank was able to reverse 70 percent of total money lost.
RESPONSE: The company recovered the remainder in a court settlement resulting from a lawsuit brought against the bank.

26. OLD

27. Articles to for the discussion on the 19th
2018 Internet Security Threat Report, available at Symantec.com
Branch, Federal Network Resilience Cybersecurity Assurance. Unintentional Insider Threats: Social Engineering. (2014). Only the sections: 3, 5, 6.1, 6.2, 6.3 Available at
M. Karami, Y. Park, D. McCoy Stress Testing the Booters: Understanding and Undermining the Business of DDoS Services, WWW '16 Proceedings of the 25th International Conference on World Wide Web. Pages (for the assignments). Available at
Michel van Eeten Katsunari Yoshioka Daisuke Makita Carlos Hernandez Gañan Maciej Korczyński Arman Noroozian. Who Gets the Boot? Analyzing Victimization by DDoS-as-a-Service. Proceedings RAID (for the assignments) available at