Bot-Trek Cyber Intelligence (CI) —
a platform which allows customers the ability
to monitor, analyze and predict potential
threats to information security relevant to
the company, its partners and customers
Examples of Incidents
Home Depot's 56 Million Card
Breach Bigger Than Target's
Home Depot Inc. said 56 million cards may have been compromised in a five-month attack on its payment terminals, making the breach much bigger than the holiday attack at Target Corp.
…Data Breach at Health Insurer Anthem Could Impact Millions, Banks: Card Thieves Hit White Lodging Again, FBI: Businesses Lost $215M to Email Scams, Home Depot: 56M Cards Impacted, Malware Contained, Medical Records For Sale in Underground Stolen From Texas Life Insurance Firm, Sony Breach May Have Exposed Employee Healthcare, Salary Data, Malware Based Credit Card Breach at Kmart, Dairy Queen Confirms Breach at 395 Stores, Huge Data Leak at Largest U.S. Bond Insurer, Hackers Plundered Israeli Defense Firms that Built ‘Iron Dome’ Missile Defense System, eBay Urges Password Changes After Breach, Target: Names, Emails, Phone Numbers on Up To 70 Million Customers Stolen …
Chinese Hackers Target
srael’s Iron Dome
Three Israeli defense contractors responsible for building the “Iron Dome” missile shield currently protecting Israel from a barrage of rocket attacks were compromised by hackers and robbed of huge quantities of sensitive documents pertain
-ing to the shield technology.
Massive Sony breach sheds
light on murky hacker universe
Last week Sony admitted to having suffered a major cybersecurity breach; hackers not only erased data from its systems, but also stole, and released to the public, pre-release movies, people’s private informa
Targeted Attacks in 2014
Hacking of more than 50 Russian banks, 5 payment systems, and 16 retail companies. Access to
isolated banking systems, ATMs, e-mail, and payment gateways.
Hacking of telecom operators, state-owned companies, research institutions, and political orga
-nizations. Access to confidential information, tracking of GSM networks.
Hacking of energy, pharmaceutical, construction and educational institutions.
Hacking of government, diplomatic, energy, oil, investment companies and research institutes.
Anunak
Regin
Energetic
Bear
Data on Damage
(HP, PWC, Group-IB)
* Group-IB data
Average damage
due to cyber attacks per
$ 12.7 mln
Reacting to the incident after it has already occurred is very expensive in terms of both the manage
-ment of consequences and the eradication of attacker from the internal infrastructure
Incidents cause great damage to large organizations
The average amount of financial losses due to information security incidents, 2013-2014.
$ 40 mln
is earned by one criminal group by stealing in Internet banking information$ 1.5 mln
is direct damage caused by the targeted attack< $ 1.2 mln
is сamount of direct steals we prevent per year Large organizations Income: over $ 1 bln Medium-sized organizations Income: over $ 100 mln to $ 1 bln Small organizationsIncome: less than $ 100 mln
Damage amount, 2013 Damage amount,2014 $ 5.9 mln $ 0.65 mln $ 0.41 mln $ 1 mln $ 1.3 mln $ 3.9 mln
Incident Development
Time
Time scale of events in % of the total number of hackings
Seconds
Minutes
Hours
Days
Weeks
Months
Years
From attack
to discredit
From discredit
to leakage
From leakage
to detection
From detection
to localization and
elimination
10% 75% 12% 2% 0% 1% 1% 10% 38% 14% 25% 8% 8% 0% 0% 0% 2% 13% 29% 54% 2% 0% 1% 9 32 38% 17% 4%Hacking
takes minutes
Detection and
elimination
take weeks
and months
It is not possible to distinguish
among thousands of events those
that are
really important
Means of protection do not
pro-vide
information on attackers
,
used tools and attack tactics
Accidentally
intercepted
pass-word
can be the beginning of the
targeted attack
No indicators
to identify
interesting incidents
The event importance can
not be adequately estimated
without the knowledge of the
hacking target
Be Proactive
Preparation
Hacking
Data leakage
Hours-months
Seconds
Months
Forecast
possible
attacks
Identify attacks
in preparation
Study attack tactics
based on
other incidents
Be prepared
to resist threats
in advance
Suppress attack
at the very beginning
1. Exploration Collection of e-mails, confidential information, etc. 2. Arming Collection exploits and backdoors 3. Delivery
of arms to the victim via e-mail, Web, USB, etc.
4. Exploitation
of vulnerabilities by
using malicious programs in victim’s devices 5. Installation of malicious programs in victim’s devices 6. Management
Sending commands for remote control of victim’s device
7. Impact on the facilities, access to needed data
Be constantly involved in the
analy-sis of various incidents
Track data leakage outside the
protection perimeter
Track attack on partners
and customers
Study data on new threats
Identify hacked accounts in botnets
and phishing pages
Cyber Intelligence
makes it possible to prevent the incident at the preparation stage and to become proactive
What is Needed
for Proactive Protection?
Analyze connections between
events
Be provided with the infrastructure
for data processing and receive
information on new threats
Bot-Trek
Сyber Intelligence
Bot-Trek Cyber Intelligence
—
a platform enabling the customer to monitor, analyze and predict potential threats to information security
that are relevant to the company, its partners and customers
SaaS-solution:
no installation required
Integration with antifraud
systems and IDS/IPS/SIEM
CI Operation
Botnets SPAM traps Malware Forensic Sandboxes Bank cards Social networks Deep Web CERT Investigations Analysis and trends Risk notifications Cracked passwords, databases, etc. Hacktivism analysis DDoS, Deface, Phishing, Malvertising feeds Suspect IP Дропы/Mules Correlation Additional data c ollection Intelligence exchange Analysis and check Relation to regions and business areasCompatible
with Stix/Taxii
API for Enterprise security DashboardThe Data We Provide
Analysis of the actions of criminal groups
Assessment of attacks in various countries/
business segments
Forecasting new threats
Information on the most relevant threats
Strategic data:
Information on threats and analysis
Information on current attacks
Information on criminal groups/their
tools/tactics
Information on logins/passwords of the
company, its partners and customers
Tactical/operational data:
IP and URL addresses
Names of malicious attachments
Themes of letters with targeted attacks
Hacked legitimate web-sites spreading
malware
CChanges in the operating system
Abnormal signs
Who Can Use the Data
As the Security/Risk Manager
You can:
Prevent accidents and fraud
Correctly assess risks to the company
Develop tactical and strategic security plans Track trends, global and local threats
Assess the effectiveness of military protection processes Respond effectively to current challenges
As the Marketing Director
You can:
Improve the effectiveness of the marketing tools you use
Always be aware of the threats your company could be exposed to and have the tools for rapid counteraction.
If necessary, add new channels to interact with potential customers of your company
As the Director of Human Resources (HR)
You can:
Track unlawful activity of your employees
Adjust the policy of the Company depending on the identified threats
As the Chief Executive Office (CEO)
You can:
Always be aware of the most dangerous threats your company could be exposed to
Assess the effectiveness of protected investments Be aware of potential financial losses
How to Manage
the Large Amounts of Data?
Tactic information can
be filtered for countries
and business areas
Individual notifications
of targeted attacks on
you for you, your
part-ners, and clients
API for integration
with your SIEM, IPS,
and Firewall
We support the STIX
format upon
submis-sion of threat data
24x7
support
Data Sources and
Information Storage Security
Confidential data is available only to those companies which
they belong to
Data on different countries are stored on servers in those countries: storage devices are currently deployed in the USA, Germany,
Russia, the Netherlands, and Great Britain We process data in 11
Company
Analytics and Trends
Content
Possibilities
Data flow
Analysis of hacking companies
Damage evaluation
Quarterly digests
Statistical data
Forecasting of threats
Invest expediently
Adjust the risk map
Identify your enemy
Prioritize threats
Analytics
Discredited Data
CompanyContent
Possibilities
Data flow
Logins/passwords
IMEI / IMSI
Card data
Files: SMS, screen images,
logs
Drops (Mules)
Ensure
against corporate leakage
Ensure
against fraud of customers
Stop targeted attacks
Get confirmation of
hacking
Identify the hacking source
Discredited
data
Threats
CompanyContent
Possibilities
Data flow
Hacking tools
Tactics
Data leakage
Hiring of insiders
Correlate with your
incidents
Forecast the risks
Identify an insider
Warn the personnel and
directorate
Adapt
the response plan
Daily Attacks
CompanyContent
Possibilities
Data flow
DDoS
Deface
Phishing
Malvertising
Trace the bursts
Forecast
Identify the infections
Estimate the risks
Attacks
Hacktivists and Cyberterrorists
CompanyContent
Possibilities
Data flow
Operations
Groups
Interrelations
Experience
Tools
Trace the leakages
Study the attack tactics
Estimate the risks
Eliminate the attack
consequences
Forecast
Targeted attacks
Tactics
Tools
Indicators
Identify the attack
Adjust the protection tools
Estimate the risks
Protect the partners
Targeted
attacks
Company
Content
Possibilities
Suspect IP Addresses
TOR nodes
Open proxy
Private SOCKS proxy
Compromised servers
Identify the attacks
Integrate with antifraud
systems
IP
addresses
CompanyContent
Possibilities
Data flow
Quick Start
Convenient
WEB-interface
for
data search and
analysis
Simple and quick
connection
process
API for integration
with existing
protec-tion systems
1.
2.
Russia is the Source of the Most
Interesting Threats
Zeus
SpyEye
Carberp
Tinba
Dyre/Dyreza
Rovnix
Gozi/ISFB
Bank trojans
BlackHole
Angler
Rig
Nuclear
Neutrino
Styx
Exploit Kits
Black Energy
Optima Darkness
Dirt Jumper
Drive
Revolution
DDoS trojans
Red October
Energetic bear
Anunak
Targeted attacks
CERT-GIB is the first day-and-night accredited center for monitoring and detecting cyber threats
Infrastructure of analysis of network traffic
Customers with daily existing incidents
Competent in operation with domains such as RU, RF, SU,
ТАТАР, ДЕТИ Group-IB has the largest computer forensics lab in Eastern Europe
Group-IB is one of
7
most influential information
security companies
Why Group-IB?
80%
of all huge legal cases in a field of cybercrime involve Group-IB’s expertise and research
One of 7
companies included in the Gartner report in Cyber Intelligence section
Europol
signed an agreement with Group-IB to cooperate in combating cybercrime on a global scale
Rostec
has chosen Bot-Trek as one of the main solutions that help create corporate security system
Group-IB‘s
experts release detailed report on cyber crimetrends every year
12 YEARS
of experience in a
field of computer
forensics cyber crime
prevention and brand
Participation of Group-IB in
Notable Investigations
Arrest of the author of Blackhole exploits:
40% of infections in the world occurred with the use of his exploits
Arrest of Leonid Kuvaev:
According to SPAMHOUSE, he is one of three most dangerous spammers of the world
Arrest of the owner
of the first bank mobile botnet
Anunak/Carbanak Attacks:
successfully hacked over 50 banks
Arrest of the Carberp group:
botnet of more than 6 million computers, hundreds of millions of dollars stolen
