• No results found

Bot-Trek Cyber Intelligence (CI)

N/A
N/A
Protected

Academic year: 2021

Share "Bot-Trek Cyber Intelligence (CI)"

Copied!
27
0
0

Loading.... (view fulltext now)

Full text

(1)

Bot-Trek Cyber Intelligence (CI) —

a platform which allows customers the ability

to monitor, analyze and predict potential

threats to information security relevant to

the company, its partners and customers

(2)

Examples of Incidents

Home Depot's 56 Million Card

Breach Bigger Than Target's

Home Depot Inc. said 56 million cards may have been compromised in a five-month attack on its payment terminals, making the breach much bigger than the holiday attack at Target Corp.

…Data Breach at Health Insurer Anthem Could Impact Millions, Banks: Card Thieves Hit White Lodging Again, FBI: Businesses Lost $215M to Email Scams, Home Depot: 56M Cards Impacted, Malware Contained, Medical Records For Sale in Underground Stolen From Texas Life Insurance Firm, Sony Breach May Have Exposed Employee Healthcare, Salary Data, Malware Based Credit Card Breach at Kmart, Dairy Queen Confirms Breach at 395 Stores, Huge Data Leak at Largest U.S. Bond Insurer, Hackers Plundered Israeli Defense Firms that Built ‘Iron Dome’ Missile Defense System, eBay Urges Password Changes After Breach, Target: Names, Emails, Phone Numbers on Up To 70 Million Customers Stolen …

Chinese Hackers Target

srael’s Iron Dome

Three Israeli defense contractors responsible for building the “Iron Dome” missile shield currently protecting Israel from a barrage of rocket attacks were compromised by hackers and robbed of huge quantities of sensitive documents pertain

-ing to the shield technology.

Massive Sony breach sheds

light on murky hacker universe

Last week Sony admitted to having suffered a major cybersecurity breach; hackers not only erased data from its systems, but also stole, and released to the public, pre-release movies, people’s private informa

(3)

Targeted Attacks in 2014

Hacking of more than 50 Russian banks, 5 payment systems, and 16 retail companies. Access to

isolated banking systems, ATMs, e-mail, and payment gateways.

Hacking of telecom operators, state-owned companies, research institutions, and political orga

-nizations. Access to confidential information, tracking of GSM networks.

Hacking of energy, pharmaceutical, construction and educational institutions.

Hacking of government, diplomatic, energy, oil, investment companies and research institutes.

Anunak

Regin

Energetic

Bear

(4)

Data on Damage

(HP, PWC, Group-IB)

* Group-IB data

Average damage

due to cyber attacks per

$ 12.7 mln

Reacting to the incident after it has already occurred is very expensive in terms of both the manage

-ment of consequences and the eradication of attacker from the internal infrastructure

Incidents cause great damage to large organizations

The average amount of financial losses due to information security incidents, 2013-2014.

$ 40 mln

is earned by one criminal group by stealing in Internet banking information

$ 1.5 mln

is direct damage caused by the targeted attack

< $ 1.2 mln

is сamount of direct steals we prevent per year Large organizations Income: over $ 1 bln Medium-sized organizations Income: over $ 100 mln to $ 1 bln Small organizations

Income: less than $ 100 mln

Damage amount, 2013 Damage amount,2014 $ 5.9 mln $ 0.65 mln $ 0.41 mln $ 1 mln $ 1.3 mln $ 3.9 mln

(5)

Incident Development

Time

Time scale of events in % of the total number of hackings

Seconds

Minutes

Hours

Days

Weeks

Months

Years

From attack

to discredit

From discredit

to leakage

From leakage

to detection

From detection

to localization and

elimination

10% 75% 12% 2% 0% 1% 1% 10% 38% 14% 25% 8% 8% 0% 0% 0% 2% 13% 29% 54% 2% 0% 1% 9 32 38% 17% 4%

Hacking

takes minutes

Detection and

elimination

take weeks

and months

(6)

It is not possible to distinguish

among thousands of events those

that are

really important

Means of protection do not

pro-vide

information on attackers

,

used tools and attack tactics

Accidentally

intercepted

pass-word

can be the beginning of the

targeted attack

No indicators

to identify

interesting incidents

The event importance can

not be adequately estimated

without the knowledge of the

hacking target

(7)

Be Proactive

Preparation

Hacking

Data leakage

Hours-months

Seconds

Months

Forecast

possible

attacks

Identify attacks

in preparation

Study attack tactics

based on

other incidents

Be prepared

to resist threats

in advance

Suppress attack

at the very beginning

1. Exploration Collection of e-mails, confidential information, etc. 2. Arming Collection exploits and backdoors 3. Delivery

of arms to the victim via e-mail, Web, USB, etc.

4. Exploitation

of vulnerabilities by

using malicious programs in victim’s devices 5. Installation of malicious programs in victim’s devices 6. Management

Sending commands for remote control of victim’s device

7. Impact on the facilities, access to needed data

(8)

Be constantly involved in the

analy-sis of various incidents

Track data leakage outside the

protection perimeter

Track attack on partners

and customers

Study data on new threats

Identify hacked accounts in botnets

and phishing pages

Cyber Intelligence

makes it possible to prevent the incident at the preparation stage and to become proactive

What is Needed

for Proactive Protection?

Analyze connections between

events

Be provided with the infrastructure

for data processing and receive

information on new threats

(9)

Bot-Trek

Сyber Intelligence

Bot-Trek Cyber Intelligence

a platform enabling the customer to monitor, analyze and predict potential threats to information security

that are relevant to the company, its partners and customers

SaaS-solution:

no installation required

Integration with antifraud

systems and IDS/IPS/SIEM

(10)

CI Operation

Botnets SPAM traps Malware Forensic Sandboxes Bank cards Social networks Deep Web CERT Investigations Analysis and trends Risk notifications Cracked passwords, databases, etc. Hacktivism analysis DDoS, Deface, Phishing, Malvertising feeds Suspect IP Дропы/Mules Correlation Additional data c ollection Intelligence exchange Analysis and check Relation to regions and business areas

Compatible

with Stix/Taxii

API for Enterprise security Dashboard

(11)

The Data We Provide

Analysis of the actions of criminal groups

Assessment of attacks in various countries/

business segments

Forecasting new threats

Information on the most relevant threats

Strategic data:

Information on threats and analysis

Information on current attacks

Information on criminal groups/their

tools/tactics

Information on logins/passwords of the

company, its partners and customers

Tactical/operational data:

IP and URL addresses

Names of malicious attachments

Themes of letters with targeted attacks

Hacked legitimate web-sites spreading

malware

CChanges in the operating system

Abnormal signs

(12)

Who Can Use the Data

As the Security/Risk Manager

You can:

Prevent accidents and fraud

Correctly assess risks to the company

Develop tactical and strategic security plans Track trends, global and local threats

Assess the effectiveness of military protection processes Respond effectively to current challenges

As the Marketing Director

You can:

Improve the effectiveness of the marketing tools you use

Always be aware of the threats your company could be exposed to and have the tools for rapid counteraction.

If necessary, add new channels to interact with potential customers of your company

As the Director of Human Resources (HR)

You can:

Track unlawful activity of your employees

Adjust the policy of the Company depending on the identified threats

As the Chief Executive Office (CEO)

You can:

Always be aware of the most dangerous threats your company could be exposed to

Assess the effectiveness of protected investments Be aware of potential financial losses

(13)

How to Manage

the Large Amounts of Data?

Tactic information can

be filtered for countries

and business areas

Individual notifications

of targeted attacks on

you for you, your

part-ners, and clients

API for integration

with your SIEM, IPS,

and Firewall

We support the STIX

format upon

submis-sion of threat data

24x7

support

(14)

Data Sources and

Information Storage Security

Confidential data is available only to those companies which

they belong to

Data on different countries are stored on servers in those countries: storage devices are currently deployed in the USA, Germany,

Russia, the Netherlands, and Great Britain We process data in 11

(15)

Company

Analytics and Trends

Content

Possibilities

Data flow

Analysis of hacking companies

Damage evaluation

Quarterly digests

Statistical data

Forecasting of threats

Invest expediently

Adjust the risk map

Identify your enemy

Prioritize threats

Analytics

(16)

Discredited Data

Company

Content

Possibilities

Data flow

Logins/passwords

IMEI / IMSI

Card data

Files: SMS, screen images,

logs

Drops (Mules)

Ensure

against corporate leakage

Ensure

against fraud of customers

Stop targeted attacks

Get confirmation of

hacking

Identify the hacking source

Discredited

data

(17)

Threats

Company

Content

Possibilities

Data flow

Hacking tools

Tactics

Data leakage

Hiring of insiders

Correlate with your

incidents

Forecast the risks

Identify an insider

Warn the personnel and

directorate

Adapt

the response plan

(18)

Daily Attacks

Company

Content

Possibilities

Data flow

DDoS

Deface

Phishing

Malvertising

Trace the bursts

Forecast

Identify the infections

Estimate the risks

Attacks

(19)

Hacktivists and Cyberterrorists

Company

Content

Possibilities

Data flow

Operations

Groups

Interrelations

Experience

Tools

Trace the leakages

Study the attack tactics

Estimate the risks

Eliminate the attack

consequences

Forecast

(20)

Targeted attacks

Tactics

Tools

Indicators

Identify the attack

Adjust the protection tools

Estimate the risks

Protect the partners

Targeted

attacks

Company

Content

Possibilities

(21)

Suspect IP Addresses

TOR nodes

Open proxy

Private SOCKS proxy

Compromised servers

Identify the attacks

Integrate with antifraud

systems

IP

addresses

Company

Content

Possibilities

Data flow

(22)

Quick Start

Convenient

WEB-interface

for

data search and

analysis

Simple and quick

connection

process

API for integration

with existing

protec-tion systems

1.

2.

(23)

Russia is the Source of the Most

Interesting Threats

Zeus

SpyEye

Carberp

Tinba

Dyre/Dyreza

Rovnix

Gozi/ISFB

Bank trojans

BlackHole

Angler

Rig

Nuclear

Neutrino

Styx

Exploit Kits

Black Energy

Optima Darkness

Dirt Jumper

Drive

Revolution

DDoS trojans

Red October

Energetic bear

Anunak

Targeted attacks

(24)

CERT-GIB is the first day-and-night accredited center for monitoring and detecting cyber threats

Infrastructure of analysis of network traffic

Customers with daily existing incidents

Competent in operation with domains such as RU, RF, SU,

ТАТАР, ДЕТИ Group-IB has the largest computer forensics lab in Eastern Europe

(25)

Group-IB is one of

7

most influential information

security companies

Why Group-IB?

80%

of all huge legal cases in a field of cybercrime involve Group-IB’s expertise and research

One of 7

companies included in the Gartner report in Cyber Intelligence section

Europol

signed an agreement with Group-IB to cooperate in combating cybercrime on a global scale

Rostec

has chosen Bot-Trek as one of the main solutions that help create corporate security system

Group-IB‘s

experts release detailed report on cyber crime

trends every year

12 YEARS

of experience in a

field of computer

forensics cyber crime

prevention and brand

(26)

Participation of Group-IB in

Notable Investigations

Arrest of the author of Blackhole exploits:

40% of infections in the world occurred with the use of his exploits

Arrest of Leonid Kuvaev:

According to SPAMHOUSE, he is one of three most dangerous spammers of the world

Arrest of the owner

of the first bank mobile botnet

Anunak/Carbanak Attacks:

successfully hacked over 50 banks

Arrest of the Carberp group:

botnet of more than 6 million computers, hundreds of millions of dollars stolen

(27)

Ask about all possibilities of

Bot-Trek Cyber Intelligence

http://ci.group-ib.com

Manager

Alexander Tushkanov

Head, International Sales

Group-IB

+7 495 984 33 64 ext. 575 (Moscow landline)

+44 (0) 74 7478 8808 (UK mobile)

References

Related documents

When entrusting a cloud provider to look after your data it is essential to ensure that there is adequate resilience in their storage systems.. At a minimum

» Cyber space threats are amplified and malicious actors, whether they are corrupted insiders or foreign intelligence services, can quickly steal and transfer massive quantities

Tight access controls over data centers give a false sense of security to organizations that their sensitive data is safe within the center. However, with valuable data lying

 Cybersecurity is not simply having a password on your company email account, it involves a number of data breach risks, including?.  Active hacking or

Cybernetic Global Intelligence is a global IT Security firm that helps companies protect their data and minimize their vulnerability to cyber threats through a range of services

Many scholars and teachers are interested in and writing on multimodality and the importance of utilizing digital technologies to produce multimedia texts, but far too often are

performance information for other funds managed by the same adviser with investment objectives, policies, and.. differently, and would not allow the performance disclosures of

We examined GPS data from the 24 stations of Crustal Movement Observational Net- work of China ( Fig. We have obtained the time series of VTEC values o- ver a