Your Sector Doesn’t Matter: Achieving Effective Threat Prioritization John Miller GRC-R03 Manager, Threat Intelligence Financial Crime Analysis Group FireEye John Hultquist Manager, Threat Intelligence Cyber Espionage Analysis Group FireEye
The Problem Today’s focus: What influences probability of cyber threats?
The Problem Organizations frequently answer “what threats should I care about?” based on relatively simple criteria, particularly what’s happening in their sector…
The Problem …or in their region…
The Problem … BUT Threat actors don’t consistently select their victims that way. The Result: Organizations miss opportunities to prevent lossrather than remediate damage. Up Next: What factors actually influence which threats affect who?
How are targets selected? Cyber Crime
Cyber Crime: Target Selection Cyber Crime: Abuses of computer systems to steal victims’ money, goods, or services.
Cyber Crime Target Selection What influences relevance of cyber crime threats?
Cyber Crime Target Selection: Footprint Ransomware: Background Malware encrypts victims’ devices or data, demands ransom Often associated with credential theft capability Improved service models resulting in rapid proliferation Growing emphasis on encrypting even if C&C traffic blocked
Cyber Crime Target Selection: Footprint Ransomware: Targeting • Campaigns typically indiscriminate; group victims by country due to social engineering, ransom payment logistics, ransom amount • Associated self-proliferation capabilities allow infection expansion without regard to target • eCrime market models focus on maximizing user bases Risk influenced by: Your accessibility via malware delivery mechanisms (email) and ability for malware to run (OS types used)
Cyber Crime Target Selection: Footprint • Low variation between industries • Decreasing variation with increasing detections
Cyber Crime Target Selection: Services Trade-Based Laundering: Background • Many eCrime operations purchase and resell goods and services continuously to launder stolen funds • Mule networks (may be for-hire) move physical goods • Gift cards offer rapid laundering mechanism • Hospitality, travel, entertainment tickets booked just before event • Resold to unsuspecting consumers, other criminals • Resold in underground, grey-market sites, multi-vendor sites
Cyber Crime Target Selection: Services Trade-Based Laundering: Targeting • All types of popular, easily-resold goods and services abused • Changes in item popularity or anti-fraud barriers drive criminals to next best alternative Risk influenced by: Popularity of goods and services you sell
Cyber Crime Target Selection: Resources Corporate Account Takeover: Background • Advanced credential theft malware compromises organizations’ accounts with variety of services for fraud • Leverage advanced authentication bypass techniques • Tactic offers higher value per compromise than stereotypical consumer account takeover • Potential examples: Dridex, TrickBot, GozNym…
Cyber Crime Target Selection: Resources Corporate Account Takeover: Background
Cyber Crime Target Selection: Resources Corporate Account Takeover: Targeting • Distribution leverages combination of mass spam with tailoring (can be automated) to recipient • Compromise services offering opportunity to capitalize on perpetrators’ monetization and laundering capabilities Risk influenced by: Your use of typically-outsourced platforms for finance, HR, shipping, etc.
How are targets selected? Cyber Espionage
Cyber Espionage Target Selection Cyber Espionage: Abuses of computer systems to conduct surveillance or monitor, in order to create corporate or political advantage.
Cyber Espionage Target Selection What influences relevance of cyber espionage threats?
How are targets selected? Hacktivism
Hacktivism: Target Selection Hacktivism: Disruptive abuses of computer systems to achieve political, religious, nationalistic, social, and other goals.
Hacktivism: Target Selection What influences relevance of hacktivism threats?
Hacktivism Target Selection: Associations Dyn DDoS: Background • Mid-October: Dyn Managed DNS suffers repeat attacks disrupting service to many customers • Attacks use Mirai botnet, variant of Gafgyt Linux bot • Followed reports of attacks up to 1.5 Tbps using same capability • Multiple links to hacktivist activity
Hacktivism Target Selection: Associations Dyn DDoS: Targeting • Dyn DDoS was directly attacked, but other high-profile organizations suffered downtime and associated potential losses • Critical service providers an attractive target in many cases Risk influenced by: What external providers victims depended on
Hacktivism Target Selection: Image OpIcarus: Background • Hacktivist activity against financials to protest alleged corruption • Diverse financials affected; heaviest DDoS concentration against central banks • Key actors include “Harvey Harris,” “Ghost Squad Hackers”
Hacktivism Target Selection: Image OpIcarus: Targeting • Virtually any financial a target consistent with narrative • Others involved in alleged corruption also affected (e.g. energy) Risk influenced by: Perception of alleged corruption
Hacktivism Target Selection: Exposure OpRussia: Background • Anti-Russia hacktivist campaign • Mass defacement of Russian websites • Indications of DDoS attacks
Hacktivism Target Selection: Exposure OpRussia: Targeting • Many Russian sites potential targets • Mirrors targeting characteristics of many hacktivist campaigns based on narratives consistent with disparate attacks Risk influenced by: Any connection, however tangential, to Russia; website vulnerability
Application • Evaluate threat probabilityfor your organization based on the factors shaping adversaries’ targets from adversaries’ perspective • What significant threats exist? • Who are they affecting and why? • Particularly, who are threats affecting outside where organizations typically look – “my sector,” “my region”? • How much does the “why” apply to me also? • Assume internal risk-related conversations and decision-making may require initial level set
Application This presentation was… This presentation was not / continuing action required… • How to evaluate threats for relevance Identify existing and potential threats to evaluate Gain understanding needed to evaluate them