sector doesn’t matter: achieving effective threat prioritization · 2017-02-06 · your sector...
TRANSCRIPT
SESSION ID:SESSION ID:
#RSAC
John Miller
Your Sector Doesn’t Matter: Achieving Effective Threat Prioritization
GRC‐R03
Manager, Threat IntelligenceFinancial Crime Analysis GroupFireEye
John HultquistManager, Threat IntelligenceCyber Espionage Analysis GroupFireEye
#RSAC
The Problem
#RSAC
The Problem
3
Probability Impact Risk
Today’s focus: What influences probability of cyber threats?
#RSAC
The Problem
Organizations frequently answer “what threats should I care about?” based on relatively simple criteria, particularly what’s happening in their sector…
#RSAC
The Problem
5
…or in their region…
#RSAC
The Problem
… BUT
Threat actors don’t consistently select their victims that way.
THE RESULT: Organizations miss opportunities to prevent lossrather than remediate damage.
UP NEXT: What factors actually influence which threats affect who?
#RSAC
How are targets selected?
Cyber Crime
#RSAC
Cyber Crime: Target Selection
Cyber Crime: Abuses of computer systems to steal victims’ money, goods, or services.
#RSAC
Cyber Crime Target Selection
What influences relevance of cyber crime threats?
Footprint Services Resources
What infrastructure do you have?
What do you provide?
What do you depend on internally?
#RSAC
Cyber Crime Target Selection: Footprint
Ransomware: Background
Malware encrypts victims’ devices or data, demands ransom
Often associated with credential theft capability
Improved service models resulting in rapid proliferation
Growing emphasis on encrypting even if C&C traffic blocked
#RSAC
Cyber Crime Target Selection: Footprint
Ransomware: Targeting
• Campaigns typically indiscriminate; group victims by country due to social engineering, ransom payment logistics, ransom amount
• Associated self‐proliferation capabilities allow infection expansion without regard to target
• eCrime market models focus on maximizing user bases
Risk influenced by: Your accessibility via malware delivery mechanisms (email) and ability for malware to run (OS types used)
#RSAC
Cyber Crime Target Selection: Footprint
• Low variation between industries• Decreasing variation with
increasing detections
#RSAC
Cyber Crime Target Selection: Services
Trade‐Based Laundering: Background
• Many eCrime operations purchase and resell goods and services continuously to launder stolen funds• Mule networks (may be for‐hire) move physical goods• Gift cards offer rapid laundering mechanism• Hospitality, travel, entertainment tickets booked just before event
• Resold to unsuspecting consumers, other criminals
• Resold in underground, grey‐market sites, multi‐vendor sites
#RSAC
Cyber Crime Target Selection: Services
Trade‐Based Laundering: Targeting
• All types of popular, easily‐resold goods and services abused
• Changes in item popularity or anti‐fraud barriers drive criminals to next best alternative
Risk influenced by: Popularity of goods and services you sell
#RSAC
Cyber Crime Target Selection: Resources
Corporate Account Takeover: Background
• Advanced credential theft malware compromises organizations’ accounts with variety of services for fraud
• Leverage advanced authentication bypass techniques
• Tactic offers higher value per compromise than stereotypical consumer account takeover
• Potential examples: Dridex, TrickBot, GozNym…
#RSAC
Cyber Crime Target Selection: Resources
Corporate Account Takeover: Background
Service Compromised Potential MonetizationCard Management Monetary Theft
Cash Management Monetary Theft
Corporate Banking Monetary Theft
Data Security Data Theft
Fulfillment Shipping Diversion or Abuse
Recruiting Money Mule Recruiting
Technology Fraudulent Purchases
#RSAC
Cyber Crime Target Selection: Resources
Corporate Account Takeover: Targeting
• Distribution leverages combination of mass spam with tailoring (can be automated) to recipient
• Compromise services offering opportunity to capitalize on perpetrators’ monetization and laundering capabilities
Risk influenced by: Your use of typically‐outsourced platforms for finance, HR, shipping, etc.
#RSAC
How are targets selected?
Cyber Espionage
#RSAC
Cyber Espionage Target Selection
Cyber Espionage: Abuses of computer systems to conduct surveillance or monitor, in order to create corporate or political advantage.
#RSAC
Cyber Espionage Target Selection
What influences relevance of cyber espionage threats?
Information Access
Prominence or Criticality Presence
What is accessible from your environment?
How would attacking you affect others?
Where are you located or active?
#RSAC
Espionage Target Selection: Scenario 1
#RSAC
Espionage Target Selection: Scenario 2
#RSAC
Espionage Target Selection: Scenario 3
#RSAC
How are targets selected?
Hacktivism
#RSAC
Hacktivism: Target Selection
Hacktivism: Disruptive abuses of computer systems to achieve political, religious, nationalistic, social, and other goals.
#RSAC
Hacktivism: Target Selection
What influences relevance of hacktivism threats?
Associations Image Exposure
What are your actual or presumed relationships?
What are publicperceptions of you?
How hardened are you to threat activity?
#RSAC
Hacktivism Target Selection: Associations
Dyn DDoS: Background
• Mid‐October: Dyn Managed DNS suffers repeat attacks disrupting service to many customers
• Attacks use Mirai botnet, variant of Gafgyt Linux bot
• Followed reports of attacks up to 1.5 Tbps using same capability
• Multiple links to hacktivist activity
#RSAC
Hacktivism Target Selection: Associations
Dyn DDoS: Targeting
• Dyn DDoS was directly attacked, but other high‐profile organizations suffered downtime and associated potential losses
• Critical service providers an attractive target in many cases
Risk influenced by: What external providers victims depended on
#RSAC
Hacktivism Target Selection: Image
OpIcarus: Background
• Hacktivist activity against financials to protest alleged corruption
• Diverse financials affected; heaviest DDoS concentration against central banks
• Key actors include “Harvey Harris,” “Ghost Squad Hackers”
#RSAC
Hacktivism Target Selection: Image
OpIcarus: Targeting
• Virtually any financial a target consistent with narrative
• Others involved in alleged corruption also affected (e.g. energy)
Risk influenced by: Perception of alleged corruption
#RSAC
Hacktivism Target Selection: Exposure
OpRussia: Background
• Anti‐Russia hacktivist campaign
• Mass defacement of Russian websites
• Indications of DDoS attacks
#RSAC
Hacktivism Target Selection: Exposure
OpRussia: Targeting
• Many Russian sites potential targets
• Mirrors targeting characteristics of many hacktivist campaigns based on narratives consistent with disparate attacks
Risk influenced by: Any connection, however tangential, to Russia; website vulnerability
#RSAC
What should I do?
#RSAC
Application
Evaluate threat probability for your organization based on the factors shaping adversaries’ targets from adversaries’ perspectiveWhat significant threats exist?Who are they affecting and why? Particularly, who are threats affecting outside where organizations typically look –
“my sector,” “my region”?
How much does the “why” apply to me also?
Assume internal risk‐related conversations and decision‐making may require initial level set
#RSAC
Application
This presentation was…
How to evaluate threats for relevance
This presentation was not / continuing action required…
Identify existing and potential threats to evaluate
Gain understanding needed to evaluate them
#RSAC
Application
Associations Image Exposure
What are your actual or presumed relationships?
What are publicperceptions of you?
How hardened are you to threat activity?
Information Access Prominence orCriticality Presence
What is accessible from your environment?
How would attacking you affect others?
Where are you located or active?
Footprint Services Resources
What infrastructure do you have?
What do you provide?
What do you depend on internally?
#RSAC
Discussion