Hi. My name is Bob. I'm here to talk to you about DDoS and APTs. DDos stands for distributed denial-of-service. Distributed, meaning comes from all sorts of different locations simultaneously. Originally DoS, denial-of-service, was a very simple thing to do. Simply download a program, something like LOIC or HOIC, Imma Chargin', Mah Lazers. That's what LOIC starts with. As you can see it's a simple program, you hit the "Start" button, starts flooding traffic to whatever source you want it to thus in theory slowing it down. Now the internet obviously has become such a massive pipe that it's almost impossible to bring down a website or some other source with one program from their home IP address. So, groups of people got together and banded together and said, okay at 03:00 o'clock we're going to flood this particular IP using LOIC. That was our first Distributed Denial-of-Service attack. Why would they do this? Multiple reasons. A lot of hacktivists, protesters. Those were the earliest ones. As we move forward, it's actually become money that people are interested in. There's actually places like stressors and booters that claim that they are legitimate business and they utilize zombies, zombies being computers that are infected throughout the entire world, that they have control of through command and control channels. So if they get irritated, they simply tell these zombies to attack a particular website and go forward and bring it down to its knees. Interestingly enough, you can actually see a lot of these attacks on the real world but simply doing a search on the internet for DDoS maps. Here's an example of a DDoS map. As you can see, the graphics make it pretty simple and if you look at this text near the bottom, you'll actually see what kind of packets are hitting these different sites, where they're originating and what or exactly is going on. If you're lucky enough, you'll be watching this segment something big happens and it's really quite interesting to keep your eye on. I do have to mention however that doing such things, bringing down sites is illegal and you can be charged or fined a lot and possibly even go to jail. As you'll see if you watched the movie, We Are Legion, they discussed that in quite some depth. Recently, we've got some examples of some really big DDos attacks. There's a thing called Mirai that came out recently. Its a program that utilizes IoTs, IoTs being Internet of Things. It's the new buzzword as you know. These IoT's, they had default passwords and default names, simply logged in automatically, Mirai scripted this process and Krebs on security, a well-known security writer his website was brought down even though he's fully protected from these DDoS attacks, the amount of flooding actually just stopped his site completely. An even more interesting attack recently happened when somebody attacked dyn DNS in October of 2016. So why would they attack dyn DNS? Dynamic DNS, dyn DNS is a way that people look up websites so if you type in a website name, it resolves to an IP address. A lot of companies use dyn DNS as that resolution piece and by flooding it with tons and tons of traffic, it brought down dyn DNS and if you were on the internet that day, you would know it because all the big sites were going down not because they were brought down but because dyn DNS was brought down. By bringing down dyn DNS, it made it impossible for that resolution to occur and nobody here attended any sites. It was big news. It made the news quite a bit that day. I do have a heatmap from there. As you can see, it hit the East Coast, West Coast and really made things difficult for that day for a lot of people. That's a short description of Distributed DoS and I hope that you find that somewhat interesting. It's easy to find lots of information on it. Remember if you're going to download LOIC and HOIC, play safe because you can get in trouble. Now, let's talk about APTs. A for advanced, P for persistent, and T for threat. What makes this different than regular old threat? Well, if you think about it, a lot of threats and malware simply are sent out by random emails hoping to get people to click on things. Of course the last couple of years everybody has heard of ransomware. And that's just a hit and miss, good luck, hopefully make some money kind of deal. Whereas an advanced persistent threat goes after a particular target, there is numerous ways they can do that. A lot of ways they use docs or look up as much possible information as they can on the company, they also look at the CEO of the company, find the names of family members, phone numbers whatever, use social engineering to actually find ways to get that person to disclose information about their network. They also target third parties that come in with computers that are well known as hvac vendors just like target had, and when they find there is special information for this particular target, they're actually looking for particular target and not randomly choosing one. Then once they get inside that network, they're looking for persistence. Now they want to make money but they don't like ransomware whether it's a onetime shot and then it's over, they want to get inside that network. They're interested in intellectual property, governmental information and who knows what else. A lot of these have cost companies a lot of money and even cause some to potentially even close, a lot of smaller businesses. A lot of larger businesses are having struggles with even staying in control. Sony for example, lost so much data that it caused mass havoc including their emails. So, the persistence piece comes in because once they do get in there, they want to have control. They want to slowly milk what they can out of this intellectual property, out of this company, whether it'll be money or movies or simply emails, anything they can. A great example is the Carbon Ak, it started in Ukraine. They got this malware by sending a simple CPL file, that's control panel file. That's a semi-executable, considered to be a portable executable to a banking person in the Ukraine. That infected their computer, reached out, downloaded the necessary executables and called home. Once these criminals had the software inside their system, they were able to pivot that is, go from computer to computer internally quietly because they're interested in persistence, they're not interested in the fast grab it and run. Once they got in there and start pivoting around, they were actually able to control the ATM machines. They would then hire these mules, these people they called mules, these mules would go over to an ATM machine at particular time of day and just stand there and wait until the persistent attack had controlled that ATM and said, hey spit out $1,000 at 03:00 o'clock in the afternoon. Mule would grab that money, bring it home, they would share. This went on for years before anybody noticed because they were able to juggle the account. The other thing that they ended up doing and this is really interesting is they installed a rat on some of these systems inside the banks. The rat allowed them, rat meaning remote access tool, allowed them to actually control the computer, take videos of the use of the accounting software which the criminals are not familiar with and by simply watching these videos and keylogging, they're actually able to learn the accounting system that was being utilized in that bank. Once they learned how to use that accounting system, they were able to create all kinds of different fake accounts, transfer money, everything else. Persistence, that is the key with APTs. Went that on for a long time and in matter of fact it's still going on to this day. The estimate, it's about a billion dollars but nobody really truly knows because it was such an advanced persistent attack. Carbon Ak is still in use today. It's still running around networks of many banks and financial institutions throughout the world. Well, I hope you found these two topics somewhat interesting, DDoS and APTs. There's a lot more out there to learn about but it I find it terribly interesting. If you're bored, check out exploit kits. Until next time. This is Bob. I'm signing off.
