Webinar Notes: Clarifying and Understanding Cyber Threats and Actors

Webinar Focus (0:16)

  • Introduction to the cyber concerns and actors law enforcement, public safety, and homeland security should be aware of.
  • Various profiles of cyber threat actors
  • Assessing and mitigating risk of cyber threats

 

Resource Speakers (00:54)

  • Stacey Wright

    • Senior Intelligence Program Manager, Center for Internet Security (CIS), a contractor for the Department of Homeland Security
    • Runs the intelligence team for the Multi-State Information Sharing and Analysis Center (MS-ISAC). Her team provides:

      • Strategic, operational and tactical cyberthreat intelligence on state, local, etc. levels.
      • Provides comprehensive actionable intelligence analysis
    • Formerly a Cyber Intelligence Analyst for the FBI-Albany Division
    • Started career as an Information Systems Specialist dealing with a city’s emergency communications and fire department
    • Formally trained intelligence analyst and national speaker on cybercrime
    • Teaches graduate cybersecurity and threat intelligence classes at the State University of New York

 

The Justice Clearinghouse (02:06)

  • Peer-to-peer educational program for justice professionals
  • Year-round virtual conferences on law enforcement and justice-related topics
  • Events are free-to-attend, with subscribers having 24/7 access to recorded webinars.
  • Attendees are eligible for certifications which may be used for continuing education credits.
  • Interactive 60-minute webinars with quick polls, Q&A, and feedback survey

 

Overview (03:55)

  • Goals

    • Get background knowledge to protect agency, further investigation
    • Understand who the actors are
  • What is MS-ISAC?

    • One of 24 ISACS, focused on critical infrastructure.
    • Assists with cyberthreat prevention, protection, response, and recovery.
    • Funded by DHS, and may be utilized by state, local, tribal, and territorial (SLTT) governments.
  • Things to keep in mind (Enumerations)

    • Cyber actors change every day
  • Identifying the actors and assessing the risk

 

4 Approaches (09:24)

  • Opportunistic vs. Strategic

    • Opportunistic

      • Actor chose the victim by chance/convenience
      • E.g. Home burglary
    • Strategic

      • Victim was specifically chosen, consistently targeted, there is a motivation
      • Involves research, reconnaissance
      • E.g. Bank robbery
  • Manual vs. Automated

    • Automated

      • There are tools to do it
    • Manual

      • Someone doing it by hand

 

3 Purposes (12:58)

  • The CIA Information Assurance Triad

    • Confidentiality
    • Integrity
    • Availability
  • When protecting information, we want it to remain confidential, unchanged and available to those who need it
  • The DAD Information Triad (attack vector)

    • Disclosure

      • People are seeing confidential information
    • Alteration

      • Changing the data
    • Destruction

      • Disrupting, denying, degrading the information

 

5 Discovery Methods (15:00)

  • Actor Disclosure

    • Actor owns up and announces
  • External Notification

    • Another entity like FBI advises that something changed/happened
  • Monitoring Detection

    • Systems in place detects when something is occurring

      • Antivirus
      • Firewall
  • End Results

    • When irregularity is undetected by systems in place
    • Seeing the result of the attack’
    • Server goes down
    • No one can access website
  • Audit

    • Auditor discovers through the logs
    • How discovery frequently happen

 

5 Assertions (17:14)

  • Confirmed

    • Actors’ claim and the issue encountered are same
  • Suspected

    • Website may be down, and irregularities may be observed
    • Logs were not reviewed on checked yet, thus it remains as suspected
  • Claimed

    • Cyberthreat actors claiming to have accessed, compromised, etc. data, but none of the claims were confirmed yet
  • False Positive

    • Claim wasn’t real
  • Threatened

    • Future action, planned, may not even materialize

 

8 Common Targets (20:22)

  • Frequently Targeted

    • Personal Identifiable Information (PII)
    • Personal Health Information (PHI / ePHI)
    • Credit Cards
    • Money
    • Sensitive Data/Intellectual Property (IP)
    • Login Credentials – to access the system
    • Infrastructure/Resources – your computing resources
    • Anything and Everything

      • Whatever they can get
      • They’ll find a way to use what they get
  • Goes back to the 3 purposes

    • Usually disclosure and alteration, rarely for disruption

 

6 Actor Types (22:26)

  • Nation-States

    • A.k.a. Advanced Persistent Threat (APT)
    • Examples:

      • Hired contractors, students, members of the military or other government organization
      • Primary

        • Russia – after US classified intelligence
        • China – after US classified intelligence
      • Secondary

        • Iran – after US classified intelligence, AND destruction
        • North Korea – after US classified intelligence, AND destruction

          • Wannacry Malware – a ransomware traced to North Korea; financial motivation
    • Characteristics

      • Skill Level: Mid to High
      • Risk Level: Mid to High
      • Impact Level: Mid to Severe
      • Approaches: Strategic, Manual, Automated
      • Purposes: Disclosure, Alteration, Destruction
      • Discovery: External, Monitoring, Audit, End Results
      • Assertions: Confirmed, Suspected
      • Targets: IP, Logins, Resources, PII, PHI, Money
      • Motivations: Espionage, Political, Disruption, Financial
      • TTPS: Malware, Privilege Esc, Cred Reuse, Phishing, Spoofing
    • Highlights:

      • Kill Chain includes reconnaissance
      • 0 days: As long as no one knows about the attack, you can extract information; when it is published, it has no use anymore.
  • Terrorists

    • Characteristics

      • Skill Level: Low
      • Risk Level: Low
      • Impact Level: Limited
      • Approaches: Opportunistic/Strategic, Manual/Automated
      • Purposes: Destruction, Disclosure
      • Discovery: Disclosure, External, Monitoring
      • Assertions: Confirmed, Suspected, Claimed, Threatened
      • Targets: Resources, Money, Other
      • Motivations: Ideological, Political, Disruption, Grudge, Fear/Duress, Notoriety
      • TTPS: Defacements (cyber graffiti), Info Disclosure, SQLi, XSS
    • Highlights:

      • Often rely on tools
      • Intent
  • Cybercriminals

    • Characteristics

      • Skill Level: Low to High
      • Risk Level: Low to High
      • Impact Level: Low to Severe
      • Approaches: Opportunistic/Strategic, Manual/Automated
      • Purposes: Destruction, Disclosure
      • Discovery: Disclosure, External, Monitoring, Audit, End Results
      • Assertions: Confirmed, Suspected, Claimed, Threatened, False Positive
      • Targets: PII, PHI, Credit Cards, Money, Logins, Resources
      • Motivations: Financial, Disruption, Fun, Convenience, Notoriety, Challenge
      • TTPS: Malware, Privilege Esc, Cred Reuse, Phishing, Spoofing
    • Highlights:

      • Can be organized, efficient
      • Can have strict hierarchies and divisions of labor
  • Hacktivists

    • Example: Anonymous
    • Characteristics

      • Skill Level: Low
      • Risk Level: Low to Mid
      • Impact Level: Limited to Moderate
      • Approaches: Opportunistic/Strategic, Manual/Automated
      • Purposes: Destruction, Disclosure
      • Discovery: Disclosure, External, Monitoring, Audit, End Results
      • Assertions: Confirmed, Suspected, Claimed, Threatened
      • Targets: Sensitive Data, Anything and Everything
      • Motivations: Ideological, Grudge, Fun, Notoriety, Political
      • TTPS: DDoS, Phishing, Defacements, SQLi, XSS, Info Disclosure
    • Highlights:

      • Anti-government
      • Often rely on tools
      • Data dumps
      • Physical actions
      • Doxing
  • Insiders

    • Example: People who work for you, contractors, IT administrators, security guards, janitors
    • Characteristics

      • Skill Level: Low to High
      • Risk Level: Low to High
      • Impact Level: Limited to Catastrophic
      • Approaches: Strategic, Automated
      • Purposes: Alteration, Destruction, Disclosure
      • Discovery: External, Monitoring, Audit, End Results
      • Assertions: Confirmed, Suspected, Threatened
      • Targets: Infrastructure/Resources, Money, Anything
      • Motivations: Espionage, Accidental, Grudge, Personal Gain, Disruption, Financial, Fear/Duress, Challenge
      • TTPS: Malware, Privilege Esc, MitM, Info Disclosure
  • Criminals

    • Example: Street level gangs involved in identity theft and tax fraud which are done in the cyber realm
    • Characteristics

      • Skill Level: Low
      • Risk Level: Low
      • Impact Level: Limited to Severe
      • Approaches: Strategic, Manual
      • Purposes: Alteration, Destruction, Disclosure
      • Discovery: End Results, External, Monitoring, Audit
      • Assertions: Confirmed, Suspected
      • Targets: Anything and Everything
      • Motivations: Financial, Convenience, Fear/Duress, Grudge
      • TTPS: Malware, Privilege Esc, MitM, Info Disclosure

 

Personalities (36:47)

  • Home user/student

    • Script kiddies, lone hackers, hacktivists
    • Range of skills, TTPs
    • In it for the “lulz,” notoriety, financial gain
  • Businessman

    • Lone hacker
    • Range of skills, TTPs
    • Programmer, hacker-for-hire, botmaster
  • Business

    • Organized criminals, nation-states
    • Financial gain, espionage, destruction

 

13 Motivations (38:01)

  • Characteristics of motivations

    • Exploitation

      • Enabling actions, intelligence collections via computer network that are exploited to gain data from a target
    • Attack

      • Actions are taken via computer network to disrupt, deny, degrade or destroy information within the network/device/infrastructure
  • Types of Motivations

    • Accidental – Exploitation and Attack
    • Challenge – Exploitation and Attack
    • Convenience – Exploitation and Attack
    • Disruption – Attack
    • Espionage – Exploitation
    • Fear/Duress – Attack
    • Financial – More Exploitation and Less Attack
    • Fun (lulz) – Exploitation and Attack
    • Grudge – Attack
    • Ideology – Less Exploitation and More Attack
    • Notoriety – Less Exploitation and More Attack
    • Personal Gain – More Exploitation and Less Attack
    • Political – Less Exploitation and More Attack

 

Correlations (39:50)

  • Actors to Motivations

    • Nation-State

      • Espionage
      • Political
      • Disruption
      • Financial
    • Criminal

      • Convenience
      • Fear/Duress
      • Financial
      • Grudge
    • Cybercriminal

      • Financial
      • Fun
      • Disruption
      • Convenience
      • Notoriety
      • Challenge
    • Insider

      • Espionage
      • Accidental
      • Disruption
      • Personal Gain
      • Grudge
      • Fear/Duress
    • Hacktivist

      • Ideological
      • Grudge
      • Fun
      • Notoriety
      • Political
    • Terrorist

      • Ideological
      • Notoriety
      • Grudge
      • Fear/Duress
      • Political
      • Disruption
  • Purpose to Motivations

    • Espionage – Disclosure
    • Challenge – Disclosure and Destruction
    • Fun – Disclosure and Destruction
    • Notoriety – Disclosure and Destruction
    • Financial – Disclosure and Destruction
    • Personal Gain – Disclosure, Alteration and Destruction
    • Accidental – Disclosure, Alteration and Destruction
    • Ideological – Disclosure, Alteration and Destruction
    • Grudge – Disclosure, Alteration and Destruction
    • Political – Disclosure, Alteration and Destruction
    • Fear/Duress – Destruction and Alteration
    • Disruption – Destruction and Alteration
    • Convenience – Alteration and Destruction
  • Understanding correlations like this can help when you’re doing investigations

    • Helps understand why people would be motivated to attack you
    • Narrow down most effective recommendations based on the correlations

 

(Tactics, Techniques, and Procedures) TTPs (42:21)

  • How they do what they do:

    • Defacement

      • Websites defaced
      • Graffiti
      • Low-level crime
    • DoS/DDoS

      • Master computer controls a bunch of zombie computers
      • Zombie computers control and infect a network of computers
      • Infected computers are victims themselves and have malware on their computers
      • Denial of service attack in effect, shutting the server
    • SQLi
    • Malware
    • XSS
    • MitM
    • Privilege Escalation
    • Phishing
    • Credential Reuse
    • Brute
    • Forcing
    • Info Disclosure
    • Buffer Overflows
    • Spoofing
  • Correlation of Approach to TTPs

    • Defacement – Opportunistic, Automated, Manual
    • Malware – Opportunistic, Automated, Manual
    • Phishing – Opportunistic, Automated, Manual
    • XSS – Opportunistic, Strategic, Automated
    • Credential Reuse – Strategic, Manual, Automated
    • SQLi – Strategic, Manual, Automated
    • DDos – Strategic, Manual, Automated
    • Privilege Escalation – Strategic, Manual
    • MitM – Strategic, Manual
  • Correlation of Approach to Purposes and Targets

    • Defacement – Alteration
    • Malware
    • Phishing – Disclosure (login credentials)
    • XSS
    • Credential Reuse
    • SQLi – Disclosure (anything and everything)
    • DDos – Destruction
    • Privilege Escalation
    • MitM – Disclosure (sensitive data/IP)

 

Case Studies (45:45)

  • Duanesburg, NY, School District – 2009

    • Events

      • ZeuS Keylogger
      • Dec 18-22, 2009
      • Attempted theft of $3.8 million

        • $3 million transferred
        • $2.5 million recovered
      • Multiple transfers
      • 1/30th of the 2010-2011 budget
    • Characteristics

      • Approaches: Opportunistic
      • Purposes: Disclosure
      • Discovery: End Results
      • Assertions: Confirmed
      • Targets: Login credentials -> Money
      • Actor Types: Cybercriminals
      • Motivations: Financial
      • TTPS: Malware (ZeuS keylogger)
  • Bitcoin Baron

    • Events

      • December 2014 – January 2015 claimed responsibility for 11 DDoS attacks against SLTTs
      • March 2015 – claimed responsibility for 11 DDoS attacks against SLTTs
      • March 23, 2015 – accidentally posts an unrelated charge sheet on Twitter; pulls it offline almost immediately
      • April 9, 2015 – charges announced
      • September 2016 – indicted
      • April 2017 – plead guilty
    • Characteristics

      • Approaches: Strategic
      • Purposes: Destruction
      • Discovery: End Results
      • Assertions: Confirmed
      • Targets: N/A
      • Actor Types: Cybercriminals/Hacktivists
      • Motivations: Notoriety, Fun, Grudge
      • TTPS: DDos
  • TeamSystemDZ Defacements

    • Characteristics

      • Approaches: Opportunistic
      • Purposes: Alteration
      • Discovery: Actor Disclosure, End Results
      • Assertions: Confirmed
      • Targets: Infrastructure/Resources
      • Actor Types: Terrorists/Hacktivists
      • Motivations: Fun, Grudge, Ideology, Notoriety
      • TTPS: Defacement
  • Hoax Extortion Scheme

    • Characteristics

      • Approaches: Opportunistic
      • Purposes: Non-cyber
      • Discovery: Actor Disclosure
      • Assertions: Threat
      • Targets: Money
      • Actor Types: Criminal
      • Motivations: Financial
      • TTPS: Threat

 

Actionable Intelligence (49:44)

  • Investigators

    • Approaches

      • Opportunistic – rarely worth pursuing
      • Strategic – maybe local actor

        • Local controversial incidents
        • Likelihood to recur
    • Assertions

      • False Positive – common in data dumps, verify.
      • Claimed – not always criminal
      • Threatened – not always criminal
    • Targets

      • Sensitive Data/IP – hard to prove losses, more likely to be espionage

        • Hard to provide a concrete number to the loss amount
    • Actor Types

      • Nation-States – may require Fed resources to investigate China, etc.
      • Terrorists – may require Fed resources
    • Motivations: Fun, Grudge, Ideology, Notoriety
    • TTPS

      • Defacement – not worth investigating

        • Thousands happen everyday
      • DoS/DDoS – attacking computers are probably victims too

        • Tracing IP addresses isn’t going to get you far
  • Analysts

    • Approaches

      • Strategic – pattern/info sharing
      • Manual – pattern/info sharing
    • Purposes

      • Patterns
    • Discovery Methods

      • Actor Disclosure

        • Watch for this
        • They tend to lie
    • Assertions

      • Use to gain understanding of the actor
    • Targets

      • Patterns
    • TTPS

      • Assess skills
  • IT and Cybersecurity Pros

    • Approaches

      • Strategic – everyone, basic defenses
      • Opportunistic – everyone, find your crown jewels
    • Purposes

      • Determine most harm to crown jewels
    • Discovery Methods

      • Have contacts to ensure reporting
    • Assertions

      • False positive – verify before responding
    • Targets & Actors

      • Crown jewels; data classification, risk analysis
    • TTPS

      • Use to determine actor threats
  • Caveat

    • We’re playing defense
    • We’re not going to be right 100% of the time
    • There are no absolute rules in cybersecurity

 

What Can You Do? (54:43)

  • Low Hanging Fruit!

    • Designate someone to be responsible
    • Set expectations
    • Get your domain
  • Long-term

    • Patch, update
    • Use defensive software

      • Anti-virus
      • Anti-malware
    • Backup your crown jewels
    • Train users
    • Enforce passwords standards

      • Strong
      • Complex
      • Unique
    • Share intelligence
    • Work with the MS-ISAC

      • Free and voluntary
      • No mandated information sharing
      • Benefits

        • Access to information, intelligence, products, resources, and webcasts
        • Insider access to federal information
        • Training and resource discounts
        • CIS SecureSuite discounts
        • HSIN Community of Interest (COI)
        • Cybersecurity exercise participation
        • Malicious Code Analysis Platform (MCAP)
Additional Resources
1 month ago
Clarifying and Understanding Cyber Threats and Actors
  Advances in technology have reaped the human race so many benefits; From the most […]
cybercrime
2 months ago
Clarifying and Understanding Cyber Threats and Actors: An Interview with Stacey Wright
We hear about hacks and attacks in the media all the time but rarely do we hear about who these c […]
Join the Justice Clearinghouse Community of over 23,309 Justice Practitioners!

Join the Justice Clearinghouse Community of over 23,309 Justice Practitioners!

3-5 times per week we will send you updates on free upcoming webinars, custom created infographics and interviews with our presenters

You have Successfully Subscribed!

X