1 / 37

Your Sector Doesn’t Matter: Achieving Effective Threat Prioritization

Your Sector Doesn’t Matter: Achieving Effective Threat Prioritization. John Miller. GRC-R03. Manager, Threat Intelligence Financial Crime Analysis Group FireEye. John Hultquist. Manager, Threat Intelligence Cyber Espionage Analysis Group FireEye. The Problem. The Problem.

reba
Download Presentation

Your Sector Doesn’t Matter: Achieving Effective Threat Prioritization

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Your Sector Doesn’t Matter: Achieving Effective Threat Prioritization John Miller GRC-R03 Manager, Threat Intelligence Financial Crime Analysis Group FireEye John Hultquist Manager, Threat Intelligence Cyber Espionage Analysis Group FireEye

  2. The Problem

  3. The Problem Today’s focus: What influences probability of cyber threats?

  4. The Problem Organizations frequently answer “what threats should I care about?” based on relatively simple criteria, particularly what’s happening in their sector…

  5. The Problem …or in their region…

  6. The Problem … BUT Threat actors don’t consistently select their victims that way. The Result: Organizations miss opportunities to prevent lossrather than remediate damage. Up Next: What factors actually influence which threats affect who?

  7. How are targets selected? Cyber Crime

  8. Cyber Crime: Target Selection Cyber Crime: Abuses of computer systems to steal victims’ money, goods, or services.

  9. Cyber Crime Target Selection What influences relevance of cyber crime threats?

  10. Cyber Crime Target Selection: Footprint Ransomware: Background Malware encrypts victims’ devices or data, demands ransom Often associated with credential theft capability Improved service models resulting in rapid proliferation Growing emphasis on encrypting even if C&C traffic blocked

  11. Cyber Crime Target Selection: Footprint Ransomware: Targeting • Campaigns typically indiscriminate; group victims by country due to social engineering, ransom payment logistics, ransom amount • Associated self-proliferation capabilities allow infection expansion without regard to target • eCrime market models focus on maximizing user bases Risk influenced by: Your accessibility via malware delivery mechanisms (email) and ability for malware to run (OS types used)

  12. Cyber Crime Target Selection: Footprint • Low variation between industries • Decreasing variation with increasing detections

  13. Cyber Crime Target Selection: Services Trade-Based Laundering: Background • Many eCrime operations purchase and resell goods and services continuously to launder stolen funds • Mule networks (may be for-hire) move physical goods • Gift cards offer rapid laundering mechanism • Hospitality, travel, entertainment tickets booked just before event • Resold to unsuspecting consumers, other criminals • Resold in underground, grey-market sites, multi-vendor sites

  14. Cyber Crime Target Selection: Services Trade-Based Laundering: Targeting • All types of popular, easily-resold goods and services abused • Changes in item popularity or anti-fraud barriers drive criminals to next best alternative Risk influenced by: Popularity of goods and services you sell

  15. Cyber Crime Target Selection: Resources Corporate Account Takeover: Background • Advanced credential theft malware compromises organizations’ accounts with variety of services for fraud • Leverage advanced authentication bypass techniques • Tactic offers higher value per compromise than stereotypical consumer account takeover • Potential examples: Dridex, TrickBot, GozNym…

  16. Cyber Crime Target Selection: Resources Corporate Account Takeover: Background

  17. Cyber Crime Target Selection: Resources Corporate Account Takeover: Targeting • Distribution leverages combination of mass spam with tailoring (can be automated) to recipient • Compromise services offering opportunity to capitalize on perpetrators’ monetization and laundering capabilities Risk influenced by: Your use of typically-outsourced platforms for finance, HR, shipping, etc.

  18. How are targets selected? Cyber Espionage

  19. Cyber Espionage Target Selection Cyber Espionage: Abuses of computer systems to conduct surveillance or monitor, in order to create corporate or political advantage.

  20. Cyber Espionage Target Selection What influences relevance of cyber espionage threats?

  21. Espionage Target Selection: Scenario 1

  22. Espionage Target Selection: Scenario 2

  23. Espionage Target Selection: Scenario 3

  24. How are targets selected? Hacktivism

  25. Hacktivism: Target Selection Hacktivism: Disruptive abuses of computer systems to achieve political, religious, nationalistic, social, and other goals.

  26. Hacktivism: Target Selection What influences relevance of hacktivism threats?

  27. Hacktivism Target Selection: Associations Dyn DDoS: Background • Mid-October: Dyn Managed DNS suffers repeat attacks disrupting service to many customers • Attacks use Mirai botnet, variant of Gafgyt Linux bot • Followed reports of attacks up to 1.5 Tbps using same capability • Multiple links to hacktivist activity

  28. Hacktivism Target Selection: Associations Dyn DDoS: Targeting • Dyn DDoS was directly attacked, but other high-profile organizations suffered downtime and associated potential losses • Critical service providers an attractive target in many cases Risk influenced by: What external providers victims depended on

  29. Hacktivism Target Selection: Image OpIcarus: Background • Hacktivist activity against financials to protest alleged corruption • Diverse financials affected; heaviest DDoS concentration against central banks • Key actors include “Harvey Harris,” “Ghost Squad Hackers”

  30. Hacktivism Target Selection: Image OpIcarus: Targeting • Virtually any financial a target consistent with narrative • Others involved in alleged corruption also affected (e.g. energy) Risk influenced by: Perception of alleged corruption

  31. Hacktivism Target Selection: Exposure OpRussia: Background • Anti-Russia hacktivist campaign • Mass defacement of Russian websites • Indications of DDoS attacks

  32. Hacktivism Target Selection: Exposure OpRussia: Targeting • Many Russian sites potential targets • Mirrors targeting characteristics of many hacktivist campaigns based on narratives consistent with disparate attacks Risk influenced by: Any connection, however tangential, to Russia; website vulnerability

  33. What should I do?

  34. Application • Evaluate threat probabilityfor your organization based on the factors shaping adversaries’ targets from adversaries’ perspective • What significant threats exist? • Who are they affecting and why? • Particularly, who are threats affecting outside where organizations typically look – “my sector,” “my region”? • How much does the “why” apply to me also? • Assume internal risk-related conversations and decision-making may require initial level set

  35. Application This presentation was… This presentation was not / continuing action required… • How to evaluate threats for relevance Identify existing and potential threats to evaluate Gain understanding needed to evaluate them

  36. Application

  37. Discussion

More Related