Monday 23 November 2015

IRISSCON 2015 Recap - IRISSCERT

I had the pleasure of attending the 7th Irish Reporting and Information Security Service Computer Emergency Response Team (IRISSCERT) Cyber Crime conference (#IRISSCON) in Dublin, Ireland. See: www.iriss.ie


The event took place on Thursday, 19/Nov/2015 in the Berkley Court Hotel, in Ballsbridge Dublin. 

The annual all-day conference focuses on providing attendees with an overview of the current cyber-threats most businesses are facing; primarily in Ireland and throughout the world. During IRISSCON, experts share their thoughts and experiences on cybercrime and cybersecurity, while a number presentations provide the opportunity all attendees to discuss the issues that matter the most.

Thought leaders from the industry, academia and the government present at IRISSCON and the main audience is primarily the business community within Ireland, discussing the following topics:
  • Cyber Crime
  • Cyber Security
  • Cloud Security
  • Incident Response
  • Data Protection
  • Incident Investigation
  • Information Security Threats
  • Information Security Trends
  • Securing the Critical Network Infrastructure
In case you are not aware of this, IRISSCERT is a not-for-profit company that provides a range of free services to Irish businesses, related to Information Security issues. Effectively, the mission is to help raise the awareness and counter the security threats posed to Irish businesses and its Internet space. 
All talks during the day were very interesting and I am definitely going back next year for more. 

The speakers for the day were: Brian Honan, Rik Ferguson, Jenny Radcliffe, Mick Gubbins, Lance Spitzner, Phillip Woon, Paul Keane, Christopher Boyd, Thom Langford, Claus Cramon Houmann, Juan Galiana and Bob McArdle. 

One of the main issues raised throughout the day during all talks was user awareness. Businesses need to educate their staff to become more perceptive of threats that target them and effectively the business. During 2014 there were 6,534 incidents reported to IRISSCERT while during 2015, this number increased to 26,137 incidents. 

As an example, Electric Ireland has issued a warning about a scam email circulating mainly in Ireland that seeks to deceive people into providing personal financial information. 


Two types of attacks on the raise businesses should be aware of are: 
  • DDoS Extortion 
  • CEO Faud

>> DDoS Extortion: In this case a business receives an email that states that unless a fee is paid (usually 50 Bitcoin), a DDoS attack will be launched. In some cases the email will arrive after the DDoS attack has actually started claiming that it will stop if the ransom is paid (or reduced if a portion of the ransom is paid). 

A recent example was ProtonMail which had to pay ransom in order to seize the DDoS attack. However, as you probably realise trusting extortionists and cyber-criminals it is not the way to go. After ProtoMail paid the ransom, a new DDoS attack launched claiming it was not originating from the same group. 

"DD4BC" is the name of the group behind the extortion which claims it can launch attacks up to 400-500 Gbps and can last from a few hour or even whole days. Another criminal group which calls itself the "Armada Collective" has been emailing online businesses demanding thousands of dollars in Bitcoins. The email send to targeted business reads as the following:


From: "Armada Collective" armadacollective@openmailbox.org
To: abuse@victimdomain; support@victimdomain; info@victimdomain
Subject: Ransom request: DDOS ATTACK!

FORWARD THIS MAIL TO WHOEVER IS IMPORTANT IN YOUR COMPANY AND CAN MAKE DECISION!
We are Armada Collective.
All your servers will be DDoS-ed starting Friday if you don't pay 20 Bitcoins @ XXX
When we say all, we mean all - users will not be able to access sites host with you at all.

Right now we will start 15 minutes attack on your site's IP (victims IP address). It will not be hard, we will not crash it at the moment to try to minimize eventual damage, which we want to avoid at this moment. It's just to prove that this is not a hoax. Check your logs!

If you don't pay by Friday , attack will start, price to stop will increase to 40 BTC and will go up 20 BTC for every day of attack. If you report this to media and try to get some free publicity by using our name, instead of paying, attack will start permanently and will last for a long time.

This is not a joke.
Our attacks are extremely powerful - sometimes over 1 Tbps per second. So, no cheap protection will help.
Prevent it all with just 20 BTC @ XXX
Do not reply, we will probably not read. Pay and we will know its you. AND YOU WILL NEVER AGAIN HEAR FROM US!

Bitcoin is anonymous, nobody will ever know you cooperated.


In case your business received such an email you should be prepared to react. It is highly advisable to:
  • Do not ignore the threat
  • Prepare your incident response team.
  • Ensure that your anti-DDoS mechanisms can cope. (contact your ISP or a DDoS protection reseller)
  • Make aware of the threat all involved parties. 
  • Report the threat to the relevant e-crime unit (in Ireland: An Garda Siochana)
  • Review your business continuity plan.
  • Make sure Internet facing services are patched & configured securely. Consider if there are any services you could turn off to minimise the attack surface. 
  • Do not pay the ransom and become not only victim but a participant to this extortion scheme

>> CEO Fraud: In this case the CEO is personally targeted by the cyber criminals. In some cases, spoofed emails have been send to employees and third parties pretending to be from the CEO, usually instructing them send payments. However, cyber criminals tend to focus their efforts on compromising the CEO's email as it will give them access across all services he/she is using. Once they gained access they look for other passwords and may also infect the CEO's PC with malware. Once the cyber criminals have access to the CEO's accounts and emails they tend to instruct finance to make payments to accounts. These account may be in bitcoin or even fake businesses. CEO fraud is unlikely to set off spam traps, as these targeted phishing scams that are not mass e-mailed.

In order to be proactive to such threat, the business need to include the CEO in any security assessments being performed and of course security awareness training. On top, businesses need to:
  • Ensure all staff uses secure and unique passwords for accessing their accounts. 
  • Implement two factor authentication (2FA) where possible. 
  • Have an agreed procedure on how urgent and direct requests for payments are made and how these are cross-checked and authorised. 
  • Provide cybersecurity awareness training for ALL staff. 
  • If the business becomes victim of such attack make sure the incident is reported to your financial institution and it is known to the e-crime unit (in Ireland: An Garda Siochana)
  • Familiarise with Gamification, and how it can be used for improving the security awareness training outcome. 
To summarise, in 2015 the root causes of the overall number of reported incidents were the use of:
  • Insecure passwords, reuse of the same password.
  • Missing patches
  • Vulnerabilities which fall under the OWASP Top 10 list
  • Content Management Systems (CMS) such as WordPress.
  • Out-of-Date Anti-Virus software
  • Lack of cybersecurity awareness training.
To conclude, cybersecurity awareness training and having an incident response plan are vital when it comes to protecting a business from cyber threats and cyber criminals. However, even more important is to have tested your incident response plan, assess the results, make any necessary adjustments and within a reasonable amount of time, test it again. 

Keep in mind that mobile devices are becoming the key in cyber attacks as they not only contain our personal and business information, but they are broadly undefended especially in becoming the backdoor to the network. If a device is infected/compromised, then the cybercriminal can:
  • Extract Information such as application data and private communications.
  • Turn on the microphone and eavesdrop into conversations.
  • Turn on the camera. 
  • Track the device location.
  • Send emails and text messages impersonating the user. 
  • Alter the devices security settings and hold it for ransom. 
One of the key initiatives for becoming proactive today is because Breach Response costs. The following chart estimates how the costs are spread across different tasks after a breach, for a hypothetical medium size company which has approximately 15,000 customers. The overall cost could reach 500,000 Euros

Familiarise yourselves with Project 2020 which is an initiative of the International Cyber Security Protection Alliance (ICSPA). Its aim is to anticipate the future of cybercrime, enabling governments, businesses and citizens to prepare themselves for the challenges and opportunities of the coming decade. It comprises a range of activities, including common threat reporting, scenario exercises, policy guidance and capacity building. 

No comments:

Post a Comment