Demystifying nation state hackers

Presented at BSides Austin 2017, May 4, 2017, 5 p.m. (60 minutes).

Politics exist at every level of our society. Nation-state sponsored hacking just recently became a mainstream political tool of war. Understanding different ways nation-state sponsored actors might leave clues behind after they "let the animal house out" are crucial to forensic investigations. Considering why a country might want to penetrate your network is invaluable for system hardening and the overall potential negative security impacts in both the cyber and real worlds. In this talk I will be discussing potential indicators, motivations and impacts of having nation-state sponsored hackers "prancing, snooping, and grazing" around your network. I will be exploring different major nation state level cyber incidents from 2007 to the present day. I. Introduction A. Background -First major 21st century cyber attack was on Estonia. -Snowden leaks revealed massive surveillance on the entire world by the United States. - Status quo nation state hacking become more so commonplace. B. Why should you pay attention to Nation-State level cyber-attacks? -Cyber attacks as a political tool drastically make the web more dangerous. - No matter how small or big your network could be at risk of "prancing, snooping, and grazing" from malicious users. - Most organizations can't afford big SOC or NOC operations so routine check up's should be required. C. Can I act this isn't happening and assume that my networks will be okay? -No. No matter how small or big your network you could be a target for a multitude of reasons. - System hardening, regularly patched intrusion prevention software and regular vulnerability assessments and penetration testing are major key. II. Cyber What? Cyber Who? A. Past nation-state cyber events - US - China - Russia - Israel - Iran - Estonia - UK - North Korea B. Potential indicators of malicious nation-state activity in your network. When doing forensics/incident response on potentially compromised networks keep the follow in mind: - Timeframe of the attack (Which time zone does it match with?) - Did the probes/spying stop when specific holidays associated with nations came around? - Where does the IP address say the computer is located? - What does the specific script of the malware reveal? C. Common motivations for nation-state actors to "Graze" around your network. -Cyber espionage (economic, military and scientific) -Disruptions (DDOS) = loss of confidence in tech, national infrastructure at risk. -What would a nation state have to gain by compromising your network? -Political (Let's make sure a friendly administration get put into power via election interference). D. What are some impacts of letting state-sponsored "animals" run amok in you network? -Act of war = Cyber attacks makes major conflicts that much more likely, may lead to WWIII -Unfair economic advantages due theft of intellectual property. (NASA, Lockheed Martin, examples of victims) -More dangerous Web. 3.0 (malware ridden) (nation-state cyber weapons) (Mutually-assured destruction does NOT apply here because nuclear and cyber weapons of mass destruction are weighed on the same level.) III. Why is this important and relevant? A. Catching Cyber Criminals Common Forensics Tools, Tips, Techniques -SIFT (SANS Forensics ToolKit) -Evidence Mover (Copies Data between location, with file comparison, verification, and logging) -Mail Viewer (Viewer for Outlook Express, Windows Mail/Windows Live Mail, Mozilla Thunderbird Message Databases) -Wireshark (Network Protocol Capture and analysis) -Nmap (Utility for network discovery and security auditing.) B. Disaster recovery post nation state exploitation -Determine why you might be a target for state level hacking. (Protect those assets) tailor your business continuity plan around safeguarding those assets. - If you have reason to believe hackers penetrated your network give them "low hanging fruit" that will leave a trail right back to them. -Sample BCP plan IV. Conclusion A. Don't let state-sponsored hackers turn your network into a zoo. B.Contact law enforcement if your organization is under cyber-attack and they will give aid/resources. C. Depending on your risk level maybe consider investing in cyber insurance. D. Make sure network hygiene is up to standard! (System hardening, penetration testing, vulnerability assessment, intrusion prevention system). E. Don't be afraid to accuse nation-states if you have evidence. F. Consult the Tallinn Manual on Cyber Security for litigation advice.

Presenters:

  • Aaron McBee - Cyber Security Analyst Intern - Max Cyber Security
    Aaron McBee is currently pursuing a degree in Cyber Security from the University of Texas San Antonio. He got his start by earning micro-certification credentials from Cybrary, and is now active in the infosec community as a current committee member for Bsides Chicago and volunteered for Bsides Salt Lake City and Infosec Southwest conferences. He is working on obtaining his Security+ and an associate level Certified Cyber Forensics Professional certifications (CCFP). Furthermore, he loves discussing politics, diplomacy, and war in regards to cyber.Aaron McBee will soon be returning to school to finish his Earth, Society and Environmental System Degree. He got his start by earning micro-certification credentials from Cybrary, and is now active in the infosec community as a current committee member for Bsides Chicago. He is working on obtaining his Security+ and Certified Cyber Forensics Professional certifications. Furthermore, he loves discussing politics, diplomacy, and war in regards to cyber.

Links:

Similar Presentations: