Beruflich Dokumente
Kultur Dokumente
Cyber Espionage
The harsh reality of
advanced security threats
Contents
Introduction 3
A new enemy emerges: The cyber cartel
12
Introduction
Targets
Attack
execution
Available Exploits
Target Information
Target Systems
Target Employees
Peer-to- peer
networks
Search
engines
Social
networking
Job sites
Espionage
System
and
Network
access
Denial of
service
Attack sequence
Goals
Anonymization
Obfuscation
Schedule
On-line credentials
Control Systems
Personal identity
information
Protected health
information
System access
Secret formulas
Financial data
Targets
Satellite
Brand damage
Board members
Corporate
espionage
IT administrators
Military advantage
Privileged users
Key executives
Revenge
Supply chain
Support staff
3
Actors
Domestic
competitors
Tools
Social
networking
Custom malware
Packet capture
tools
Foreign
competitors
Satellite imaging
Foreign
governments
Hactivist groups
Targeted
exploitation tools
Wireless
surveillance
Rogue nations
Techniques
1. Target selection & research
Social engineering
Underground repositories
Spear phishing
3. Maintaining access
4. Exfiltration
Wireless surveillance
Inward facing
Organization silos
Information silos
Resource constrained
Manual analysis
Security
incident
reported
Investigation
Threat
isolated and
contained
Remediation
Root cause
analysis
Security incidents
are typically reported
to an information
security organization
through a variety of
different channels
including other
departments,
external vendors,
law enforcement,
media outlets, and
the public.
Investigations
typically take a
considerable amount
of time and often
are plagued with
missing or lost
information that
could have assisted
significantly with
understanding what
happened.
Quickly finding
and containing
compromised
devices can be very
challenging in large
distributed network
environments. This
process can often
involve dispatching
resources on-site
to locate devices of
interest.
Remediation often
involves having to
re-image devices,
which can take long
period of times and
also result in lost
data and negative
impacts to employee
productivity.
Raw data
Internal intelligence
Normalization
Enrichment
Fusion
Actionable
intelligence
Authentication
decisions
M
aintain awareness of the changing technology and
business environment
Risk assessment
intelligence
Technology investment
Intel
Vendor selection and
HR decisions
Event data
Incident data
Containment data
IP address
Device name
Risk level
Destination IP
Patch
Domain
User ID
Start time
LAN port
Vulnerability
URL
IP address
Status
User ID
Image
E-mail address
Mac address
Owner
Switch name
Root cause
Registry key
Line of business
Assessment
VPN chasis
Stop time
Device type
Incident
management
database
Perimeter router
Regulatory
Database
Rules and
Procedures
Automation
Process
History
1. Proactive
incident
planning
2. Detect
3. Respond
4. Contain
5. Remediate
5.6.
Remediate
Report
Intelligence
collection engine
Cyber intelligence
fusion engine
Cyber threat
intelligence
analyst portal
Device location
engine
Vulnerability
scanning engine
Reporting engine
Intelligence
normalization
engine
Security
information& Event
management
Remote forensics
engine
Containment
engine
Patch management
engine
Report distribution
engine
Threat modeling
engine
Enrichment engine
Communication
engine
Re-imaging
automation
Impact analysis
engine
Client cyber
threat profile
Containment
policies
Remediation
instructions
Report templates
Intelligence
subscriptions
Correlation rules
Analyst notebook
Incident response
plans
Patching
instructions
Metric templates
Cyber
intelligence
data
Asset
database
Contact
database
Vulnerability
database
User
module
Authentication
database
Network
module
IDS
events
Proxy
logs
Firewall
logs
DNS /
DHCP
logs
ARP /
CAM
logs
NetFlow
logs
Take an inventory
Look at everything, including the pieces and components branded under trustworthy names, but that come from outside
your borders, where you may not have full visibility take a baseline of what they do and who they are reaching out to
and determine whether you want these activities to take place.
11
Co-location facility
6
4
5
2
Privileged employee
Trusted supplier
Corporate location
APT Approach
Social network
Weak encryption-copier
desk
Spearphish-social
engineering
Weak wireless
encryption - credentails
Cyber Advesary
12
Physical
addresses
E-mail
addresses
User IDs
Contact
information
Privileged
employee
Telephone
Numbers
IP addresses
Resumes
Relationships
Personal
Web sites
Social
network
profiles
Devices
13
Endnotes
Financial terrorism suspected in 2008 economic crash/Pentagon study sees element (February 28, 2011) Retrieved from Washingtontimes.com
(http://www.washingtontimes.com/news/2011/feb/28/financial-terrorism-suspected-in-08-economic-crash/).
1
MANDIANT M-Trends: The Advanced Persistent Threat (January 27, 2010) Retrieved from Princeton.edu (http://www.princeton.edu/~yctwo/files/
readings/M-Trends.pdf).
2
Ibid.
What APT Means To Your Enterprise (February 19, 2010) Retrieved from Issa-sac.org (http://www.issa-sac.org/info_resources/ISSA_20100219_
HBGary_Advanced_Persistent_Threat.pdf).
4
MANDIANT M-Trends: The Advanced Persistent Threat (January 27, 2010) Retrieved from Princeton.edu (http://www.princeton.edu/~yctwo/files/
readings/M-Trends.pdf).
5
Special Report: Renaults electronic spy scandal (2011) Retrieved from Reuters.com (http://www.reuters.com/article/2011/01/28/
uk-renault-espionage-idUKTRE70R19T20110128?pageNumber=4).
6
MANDIANT M-Trends: The Advanced Persistent Threat (January 27, 2010) Retrieved from Princeton.edu (http://www.princeton.edu/~yctwo/files/
readings/M-Trends.pdf).
7
What APT Means To Your Enterprise (February 19, 2010) Retrieved from Issa-sac.org (http://www.issa-sac.org/info_resources/ISSA_20100219_
HBGary_Advanced_Persistent_Threat.pdf).
8
Ibid.
Industrial espionage: Data Out of the Door (2011) Fltimes.com (http://www.ft.com/cms/s/0/ba6c82c0-2e44-11e0-8733-00144feabdc0.
html#axzz1DHoLLkb4).
10
US oil industry hit by cyberattacks: Was China involved? (2010). Retrieved from CSMonitor.com (http://www.csmonitor.com/USA/2010/0125/
US-oil-industry-hit-by-cyberattacks-Was-China-involved).
11
What APT Means To Your Enterprise (February 19, 2010) Retrieved from issa-sac.org http://www.issa-sac.org/info_resources/ISSA_20100219_
HBGary_Advanced_Persistent_Threat.pdf).
12
13
Ibid.
14
Ibid.
Special Report: Renaults electronic spy scandal (2011) Retrieved from Reuters.com (http://www.reuters.com/article/2011/01/28/
uk-renault-espionage-idUKTRE70R19T20110128?pageNumber=4).
15
Untangling Attribution: Moving to Accountability in Cyberspace: Testimony by Robert E. Knake (July 15, 2010) Retrieved from Cfr.org (http://www.
cfr.org/united-states/untangling-attribution-moving-accountability-cyberspace/p22630).
16
US oil industry hit by cyberattacks: Was China involved? (2010). Retrieved from CSMonitor.com (http://www.csmonitor.com/USA/2010/0125/
US-oil-industry-hit-by-cyberattacks-Was-China-involved).
17
Special Report: Renaults electronic spy scandal (2011) Retrieved from Reuters.com (http://www.reuters.com/article/2011/01/28/
uk-renault-espionage-idUKTRE70R19T20110128?pageNumber=4).
17
US oil industry hit by cyberattacks: Was China involved? (2010). Retrieved from CSMonitor.com (http://www.csmonitor.com/USA/2010/0125/
US-oil-industry-hit-by-cyberattacks-Was-China-involved).
18
Special Report: Renaults electronic spy scandal (2011) Retrieved from Reuters.com (http://www.reuters.com/article/2011/01/28/
uk-renault-espionage-idUKTRE70R19T20110128?pageNumber=4).
18
Untangling Attribution: Moving to Accountability in Cyberspace: Testimony by Robert Knake (July 15, 2010) Retrieved from Cfr.org (http://www.cfr.
org/united-states/untangling-attribution-moving-accountability-cyberspace/p22630).
19
What APT Means To Your Enterprise (February 19, 2010) Retrieved from Issa-sac.org (http://www.issa-sac.org/info_resources/ISSA_20100219_
HBGary_Advanced_Persistent_Threat.pdf).
20
Untangling Attribution: Moving to Accountability in Cyberspace: Testimony by Robert Knake (July 15, 2010) Retrieved from Cfr.org (http://www.cfr.
org/united-states/untangling-attribution-moving-accountability-cyberspace/p22630).
21
The Need for Vulnerability Management (March 11, 2011) Retrieved from Busmanagementme.com (http://www.busmanagementme.com/article/
The-Need-for-Vulnerability-Management/).
22
14
23
US oil industry hit by cyberattacks: Was China involved? (2010). Retrieved from CSMonitor.com (http://www.csmonitor.com/USA/2010/0125/
US-oil-industry-hit-by-cyberattacks-Was-China-involved).
24
Special Report: Renaults electronic spy scandal (2011) Retrieved from Reuters.com (http://www.reuters.com/article/2011/01/28/
uk-renault-espionage-idUKTRE70R19T20110128?pageNumber=4).
24
What APT Means To Your Enterprise (February 19, 2010) Retrieved from Issa-sac.org (http://www.issa-sac.org/info_resources/ISSA_20100219_
HBGary_Advanced_Persistent_Threat.pdf).
25
Why the Stuxnet Work is like nothing seen before (January) Retrieved from Newscientist.com (http://www.newscientist.com/article/dn19504-whythe-stuxnet-worm-is-like-nothing-seen-before.html).
26
What APT Means To Your Enterprise (February 19, 2010) Retrieved from Issa-sac.org (http://www.issa-sac.org/info_resources/ISSA_20100219_
HBGary_Advanced_Persistent_Threat.pdf).
27
Security to Ward Off Crime on Phones (2011) Retrieved from Nytimes.com (http://www.nytimes.com/2011/02/24/technology/
personaltech/24basics.html?pagewanted=1&_r=1&ref=technology).
28
Special Report: Renaults electronic spy scandal (2011) Retrieved from Reuters.com (http://www.reuters.com/article/2011/01/28/
uk-renault-espionage-idUKTRE70R19T20110128?pageNumber=4).
29
US oil industry hit by cyberattacks: Was China involved? (2010). Retrieved from CSMonitor.com (http://www.csmonitor.com/USA/2010/0125/
US-oil-industry-hit-by-cyberattacks-Was-China-involved).
30
Special Report: Renaults electronic spy scandal (2011) Retrieved from Reuters.com (http://www.reuters.com/article/2011/01/28/
uk-renault-espionage-idUKTRE70R19T20110128?pageNumber=4).
31
Financial terrorism suspected in 2008 economic crash/Pentagon study sees element (February 28, 2011) Retrieved from Washingtontimes.com
(http://www.washingtontimes.com/news/2011/feb/28/financial-terrorism-suspected-in-08-economic-crash/).
32
This document contains general information only and Deloitte is not, by means of this document, rendering accounting, business, financial,
investment, legal, tax, or other professional advice or services. This document is not a substitute for such professional advice or services, nor should
it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your
business, you should consult a qualified professional advisor.
Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this document.
15
Contacts
Rhoda Woo
National Managing Principal
Security & Privacy
Deloitte & Touche LLP
+1 212 436 3388
rwoo@deloitte.com
Rich Baich
Principal
Cyber Threat & Vulnerability Management
Deloitte & Touche LLP
+1 704 887 1563
jbaich@deloitte.com
About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by
guarantee, and its network of member firms, each of which is a legally separate and independent entity.
Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche
Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/about for a detailed description of
the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients
under the rules and regulations of public accounting.