#RSAC
SESSION ID: HT-T10
The Adversary’s New Game Plan
Vincent Weafer
VP, McAfee Labs
Intel Security Group
@vincentweafer
#RSAC
Cybercrime
Cost the global economy
an estimated $445B and was ranked the
most likely risk by US leaders1
By 2019, the cost is estimated to increase to
$2.1 trillion globally by 2019, which is 4x
2015 levels2
1 Economic Impact of Cybercrime II : CSI/McAfee 2014
2 The Future of Cybercrime & Security: Financial and Corporate Threats & Mitigation, Juniper Research 2015
2
#RSAC
The Tsunami
McAfee GTI responds to 44.1 billion
queries every day, or approximately
500,000 every second.
McAfee Labs malware samples grew
32% in the past year to 600 million
samples
Total Ransomware has grown 128% in
the past year. Total Mobile Malware
has grown 151% in the past year
#RSAC
Impacted Sectors
PUBLIC SECTOR ATTACK VECTORS
Finance
Vulnerability,
2%
Unknown,
28%
E-Commerce
Political Org
Account
Hijacking, 9%
Targeted
Attack, 18%
Media
Multiple
SQLi, 2%
Online Services
Malware, 2%
Health
DDos, 23%
Defacement, 16%
Software Development
Single Individuals
Public Sector
0
10
20
Q3
30
Q2
4
Q1
40
50
60
#RSAC
Cybercrime
Extremely profitable
Low infrastructure costs
Exploits new technologies
Readily available attack tools
Radically fast ability to recruit skills
They create new markets and above
all, they're entrepreneurial
5
#RSAC
“Cybercrime
Fencing stolen property…

Theft of intellectual property
Street prostitution…

Online pornography empires
Heroin, cocaine trafficking…

Internet access to counterfeited
prescription drugs / illegal drugs
Extortion of local businesses for
protection…

Extortion of corporations,
kidnappings, ransomware
82% of data breaches are attributed to organized crime1
1 According
to 2013 Report from United Nations InterRegional Crime and Justice Research Institute
6
The Changing Face of Hacking
Cybercriminals /
Organized Crime
Recreational /
Vandals
Hacktivism / Reputation
Attacks
7
#RSAC
State Sponsored
Cyberespionage
Cyberattacks
#RSAC
2016 Inflection Points
Jan
Feb
Mar
Healthcare
Financial
Ransomware
Attacks
Attacks on
SWIFT
Network
Apr
May
IOT
Financial
Jun
July
Aug
Sep
Oct
Nov
US
Yahoo Breach Krebs/Dyn
DDoS
Elections
Disclosure
WADA/IOC
South
Attacks
Attacks
Korean Attacks
Reputation
German OpIcarus DDoS
Nuclear
Attacks
Malware
Attack
8
State
#RSAC
What drives Cyber Attacks
Marketplace
State of Defense
Tools
Actors
Tools
And of Course People…
9
Defenders
New Game Plan : Data Aggregation / Data Mining
Flexible distributed marketplace
Debit card + PIN data
Market data + stolen IP
Government employees details
Reputation data + understanding
sensitivity of roles
Physical location + electronic keys
Vulnerability data + knowledge of services
/ tools deployed
10
#RSAC
New Game Plan : Advanced Tools and Exploit Kits
What hackers look for
Infection rates
Pricing
User interface and support
Configuration options
11
#RSAC
Example : Angler and Neutrino kits
Exploit-kits combined with macro-kits that
create easily an Office document with
macro-payload
Heavily used in ransomware
Angler Campaign
1
9,000
3,600
62%
$34M
Average life of server in days
Observed served exploits/day
Users who were exploited
Percent serving ransomware
Estimated annual revenue
12
#RSAC
New Game Plan : Crimeware as a Service
Ransomware as a Service
Very popular and several kits are offered
Fuels growth of affiliate delivery models
Dark-Markets Services
AlphaBay and Exploit.IM – services offered
ranging from exploit kits to ransomware and
data dumps of healthcare institutes
Extortion as a Service
Includes the ‘Stresser-platforms’ where
DDoS on demand can
be bought
13
#RSAC
New Game Plan : Attack Platforms
Mobile
Overwhelming
Force
Air
Gap Attack
AttacksPlatforms
e.g.
e.g
Mirai Dridex
IoT Cannon
2012
Stuxnet
2015
Financial Attacks
2016
Power Plant
BeingGerman
Sold
for Nuclear
$7,500
Targeted
against
specific
2016
Sauron Toolkit
1 terabit/second
capacity
regions/banks
14
#RSAC
New Game Plan : Exploit New Platforms
IoT devices will swell in number.
15B devices in 2015 to 200B devices in 2020
Most will have limited security.
70% enable attackers to identify valid user accounts1
50% will not be able to address threats from weak authentication practices2
70% use weak unencrypted services3
66% will have security breach by 20184
They will be difficult or impossible to update, and they will have access
to significant systems and networks.
15
#RSAC
New Game Plan : Leverage Insiders
Actors Try to Recruit Insiders in Financial Institutes
16
#RSAC
New Game Plan : Predictions
Ransomware growth subsides
Windows vulnerability exploits cool down
Hardware and firmware threats an increasing
target for sophisticated attackers
Mobile threats to include ransomware, RATs,
compromised app markets
IoT malware opens a backdoor into the home
ML accelerates social engineering attacks
Hacktivists expose privacy issues
17
#RSAC
New Game Plan : Summary
Attackers are persistent, knowledgeable and actively seeking the
weakest link.
Most broad-based attacks are opportunistic… you don’t need to outrun
the bear, just outrun your colleagues!
Targeted threats will take time to learn the environment and are
frequently persistent for months before the breach event.
Pay attention to the insider attack. Don’t just focus on availability and
functionality with little regard to internal security.
18
#RSAC
New Game Plan : Call to Action
Start with a security strategy that ties multiple aspects of
defense lifecycle including
Understand attacker motivations for your enterprise
Identify the key risk factors for theft, loss of service, reputation damage
Identify early reconnaissance activities
Use encryption, authentication and deception techniques
Run Attack Simulations – red team - blue team exercises
19
#RSAC
New Game Plan : Call to Action
Measure & Adapt Security Defenses
Augment defenses for DETECTION & CORRECTION
Minimize direct connections to critical assets
Fast responses and zero malware policies
Deploy Analytic Tools
Watch for low level event data across multiple sensors
Constantly test and measure effectiveness of control points
20
#RSAC
#RSAC
Q&A