On Friday I went to the 4th International Conference on Cyber Security and Education, held at the Scottish Police College in Tullillan Castle. There were loads of really interesting talks and I think the only let down was the lack of abstracts/summaries of each talk; so often I was blindly going into a talk in one of the three streams available with the title “malware” or “threat analysis” without much of an idea of what would be said. Photos and tweets from the event can be found with the hashtag #thecyberacademy.
Side channel analysis of embedded systems
The first talk I went to was on side channel analysis of embedded systems by Doug Carson from Keysight Technologies. Side channel analysis involve using electro-magnetic or other emissions to establish what is happening on the device. Doug explained the basic methods of how to get information out of embedded systems, through both side channels and sticking in wires and probes and measuring all sorts of things. He showed a screenshot of a BMW system, complete with airbag controls (car hacking anyone??) and then said you could reverse engineer cryptography just from the spikes in signals. They had managed to get the encryption key from a 128-AES encrypted SIM card, purely by using side channels. This stuff is amazing for forensics when you need to really understand the underlying system, but frightening if this gets into the wrong hands. So far all this stuff happens in labs which specialist equipment, but I don’t think that car ransomware in the future is a too far-fetched idea…For exmaple, you are suddenly locked in your car with no way out, and must pay £20 to the hacker to be ‘unlocked’.
The second talk was Dell Secureworks Rafe Pilling speaking on malware they had seen in the last year:
- The top 4 malware families accounted for over 85% of malware events from their clients. He mentioned Dyre, Dridex and Neverquest, but I didn’t catch the fourth.
- They had found spearphishing campaigns with links to malicious payloads which sat inside the person’s internal network (it begs the question, if they managed to already get something malicious into the internal system; why did they need to phish?)
- In general their statistics showed that malware was sector agnostic; the same malware was hitting finance, governments, healthcare etc; it was more what PII (Personally identifiable information) those companies were holding.
- They saw some unusual Dyre (banking Trojan) activity that was not just targeting banks – they targeted online recruitment agencies (for the PII), email marketing companies (to appear legitimate and harvest emails) and hosting companies (to latch onto their infrastructure)
- In a particular investigation they were conducting for a client, they were monitoring an attacker live who was typing into the command line. Rafe said a lot of information about the attacker can be gained by watching them type – number of spelling mistakes / errors in commands or if the commands were copy/pasted directly into the prompt or typed out manually. This can show the level of skill the attacker has. He said a lot of clients had a hard time getting their heads round the fact that you shouldn’t just block and shutdown an attack immediately if you find it on the system – monitoring and seeing what the attackers are actually doing for a bit gets valuable intel on the why and how.
Education through Gamification
Jason McClay from G2G3 explained how using game mechanics in a non-game environment makes the activity more engaging. Even just by adding a leader board and points system, people are more interested in learning. This can be applied to cyber security education – both from just an employee awareness campaign to teaching security staff what to do in an incident. These are done via games or full simulation of attacks (which can hook into the company’s data to simulate realistic events). He showed an example game, as part of teaching staff about phishing, where you are a bad guy putting together a phishing campaign. You get to choose the most realistic email template, add graphics etc to teach staff how realistic phishing emails can get. I found this adorable flash game about phishing in my research!
Nathan Dornbrook from ECS did a really interesting presentation about a threat analysis toolkit called TARA – Threat Agent Risk Assessment. TARA is a “method to distil the immense number of possible threats into a manageable picture of the most likely attacks to occur, based upon the objectives and methods of those who possess the capability and desire to do harm. It is a way of conducting risk assessments to produce a more understandable and realistic picture, so effective security decisions can be made.” Basically from the screenshots he provided it looks like a spreadsheet with all the different types of threat actor (organised gang, nation state spy, reckless employee etc), capabilities, company controls, assets etc. You put ticks in the boxes of things that apply to you and it produces a visualisation (e.g. page 7 of this paper) of what threats you should be focusing on. It sounds really useful and I may do a further blog post in more details about this later.
Realtime filtering & SSL Inspection
Jim Black & Joseph Spadavecchia from Bloxx explained how SSL/TLS inspection can take place and why companies want to do it. Basically, since TLS provides a secure connection between the user and the website, organisations aren’t able to see what the internet traffic is of their employees. Most large companies monitor non-encrypted traffic for reasons such as data loss prevention, malware analysis, productivity monitoring and high bandwidth consumption monitoring; but as the world moves to encrypting more and more traffic, this gets a lot harder. The talk sparked an interesting couple of questions on the ethics of doing this; the company is essentially ‘breaking’ TLS and inserting themselves as a man-in-the-middle to spy on encrypted traffic – which could contain highly sensitive information. Normally, however, solutions offer white lists (such as online banking, well known retailers, government websites etc), but it is up to the company how to implement it.
Cybercrime – the US approach
The closing talk was from Michael Driscoll from the FBI. He mentioned that whilst the biggest threat actor (in terms of volume) in the USA are the organised crime gangs, their main focus is on terrorism and espionage. He went into some detail about how Sony worked really closely with the FBI in their attack last year, and really emphasized the need for companies to reach out to law enforcement for any kind of cybercrime.