Webinar Notes: State and Local CyberThreat Landscape

NOTES State and Local CyberThreat Landscape


Overview (06:14)

  • What are ISACs?

    • Created via PPD 63, May 22, 1998, to allow the private sector to come together, share information, perform analysis, and respond to incidents
    • For the private sector to have a singular voice to the government, and vice versa
    • Arranged around the original infrastructure sectors
    • Currently, there are 24 ISACs
  • What is MS-ISAC?

    • Designated by DHS as the key resource for cyber threat prevention, protection, response and recovery for the nation’s state, local, tribal, and territorial (SLTT) governments.
    • Who are MS-ISAC serving?

      • Members include:

        • 50 State Governments
        • 79 DHS-Recognized Fusion Centers
        • 6 Territorial Governments
        • 39 Tribal Governments
        • More than 1,600 local governments
    • MS-ISAC Membership

      • Free and Voluntary
      • No Mandated Information Sharing
      • Only an NDA Required
    • Benefits of MS-ISAC Membership

      • Access to information, intelligence, products, resources, and webcasts
      • Insider access to federal information
      • Training and resource discounts
      • CIS SecureSuite discounts
      • HSIN Community of Interest (COI)
      • Cybersecurity exercise participation
      • Malicious Code Analysis Platform (MCAP)
  • Note: This webinar training is Traffic Light Protocol (TLP): White

    • Open information available online


Why SLTT Governments? (08:59)

  • Why are cybercriminals targeting me?

    • You are not targeted, it is bad luck
    • Cybercriminals are opportunistic
    • It is hitting you because your email was collected somewhere
    • Malware got in through your email or browsing
  • Criminals look for data and governments have a lot of it.

    • Licenses, certificates, bank details, taxes, all of which go through SLTT governments


Malware Trends (10:17)

  • Financial malware is the most common type
  • Network monitoring is tracked through signatures and patterns that are malicious and associated with specific types of malware.
  • Malwares detected during network monitoring for the month of September

    • Kovter (Trojan)

      • Trojan – hides what it is, gets into your network looking like an innocent file then it becomes malicious
      • Clickfraud – flash advertisement that pops up
      • Downloads Ransomware
    • Emotet (Banking)

      • Sends a spam email with macros in a Microsoft document
      • That is how they hide malware in a document
      • Scrapes names and email addresses in your contacts to spread it further
    • ZeuS (Banking)
    • Ursnif (Exploit Kit)
    • ElTest (Exploit Kit)
    • DNSChanger (DNS Hijacker)
    • PCRat/Gh0st (RAT)
    • Virlock (Ransomware)
    • Ponmocup (Downloader)
    • Floxif (Information gathering)

      • A trojan
      • A supply chain compromise
      • A malware got in one of the updates for a computer cleaning tool (CCleaner)
  • From August to September, there is a 50% change in the list of top 10 malware.
  • Most popular infection vector: Malspam
  • Common Tactics

    • Scraping address books
    • Sending spam
    • Stealing banking and social media passwords
    • Redirecting traffic to malicious sites
    • Gathering reconnaissance information


Ransomware (15:20)

  • What it does

    • Encrypts your file
    • Locks your computer so can’t access it
    • You need to pay a ransom to get your files back
    • New variants / TTPs
    • Ransomware-as-a-Service
    • Used in extortion schemes
    • Data exfiltration
  • Chart providing the trend for ransomware notifications

    • This year, there was a decrease in ransomware
  • Recommendation

    • Planning

      • Discuss what a ransomware infection would cost your specific agency and make decisions before infection occurs
      • Keep in mind – in 20% of cases, decryption keys do not work
      • Prepare and test protocols for multiple scenarios and have recovery plans in place
    • Prevention

      • Keep your systems patched – desktops and servers
      • Ensure up-to-date backups are stored offline and regularly tested
      • Email filtering
      • Keep your AV and firewall patched
      • End-user training and awareness
  • How does it get into our computers?

    • Malicious Spam

      • Decreasing from August to September
    • Malicious Advertising

      • Codes embedded on legitimate advertisements which are downloaded when clicked
      • Having a web page open can get you infected
      • Web pages and tabs that you leave in the background increase your risk for malvertising


BEC Scam (21:32)

  • Business Email Compromise (BEC), a true scam, not a malware
  • Variants seen targeting SLTT governments

    • CEO Compromise Variant

      • Results in a wire transfer
      • Targets finance departments
      • Spoofed or compromised executive account
      • Extremely effective, billions lost
      • Looks like

From: CEO (an executive within the organization)

To: Finance Department (someone who handles finances)

Body: Made to look like an email that it comes from within your organization.Abrupt text to mimic urgent email from a mobile device. Inquiries on an organization’s finances, etc.

  • Purchase Order Variant

    • a.k.a. Bogus Invoice Scheme, Supplier Swindle
    • May include spoofed domains and copied purchase orders
    • Schools are frequent SLTT targets
  • W-2 Phishing Info Variant

    • Results in PII data breach
    • Targets finance or HR depts
    • Results in filing of fraudulent tax returns
    • Spoofed or compromised executive account
    • Prevalent during tax season
    • Looks like


Body: Says you're enrolled in the paperless W2 program. Indicates that there seemed to have been an issue. Links that send you to a compromised website where you’ll enter credentials/login details to check issues.

  • 4. Attorney Impersonation Variant
  • Recommendations

    • Plan

      • Have a policy for reporting BEC and similar phishing emails
      • Educate finance and HR departments
      • Collaborate with finance and HR departments to ensure their policies are supported by technological solutions (e.g. encryption)
      • Train users in detecting social engineering attempts.
    • Prevent

      • Add warning banners for emails from external sources
      • Implement filters at your email gateway
      • Instead of replying to suspicious emails, hit forward and input the actual internal/organization email address of the person/executive
      • Give the person who sent an email a phone call to verify
    • React

      • 72 hours to stop a wire transfer

        • 24 hours is the golden window
      • Report BEC scams/attempts to:

        • IC3/FBI at https://bec.ic3.gov/
        • MS-ISAC (cisecurity.org/ms-isac) at soc@msisac.org
        • Tax-related scams/attempts also to: IRS at https://www.irs.gov
    • Attend MS-ISAC running free half-day BEC workshops

      • October 19 – Kennedy Space Center, FL
      • October 25 – Hudson, OH
      • October 26 – Phoenix, AZ- Desert Willow Conference Center
      • October 27 – Denver, CO- History Colorado Center
      • October 30 – Nashville, TN- HCA Main Presentation Stage
      • November 3 – Boston, MA
      • November 7 – Kansas City, KS – Kansas City Public Library
      • November 8 – Los Angeles (Thousand Oaks), CA – Amgen, Inc.
      • New York City, NY – Date TBD
      • Dallas, TX- Date TBD


Other Cyberthreats (29:30)

  • Identified Data Breaches

    • 140% increase in data breach since last year

      • From mostly unknown vector, it became mostly keylogging issues
      • Keylogging an effect of the BEC W2 Variant
      • State and local government replied to BEC emails with their employee information
    • Five data breaches in September

      • Two associated with an actor/group named the Dark Overlord, located outside the US          
      • The Dark Overlord targeted companies like Netflix, Healthcare providers, and K-12 schools.
  • Hoax Extortion Schemes

    • Extortion demands; Bitcoin payments
    • Known CTAs: Lizard Squad, Armada Collective, LulzSec, New World Hacking, Phantom Squad
    • What to do?

      • Give MS-ISAC a call and forward the email.
  • High Profile Event Related Domains

    • A chart showing domains registered containing “Harvey”, “Irma”, and “Equifax”
    • Traffic corresponds to the number of domains registered related to current events like hurricanes, disasters, etc.
  • Website Defacement

    • Chart of incident frequency by month
    • Graffiti
    • 2 Government Website Defacement due to a particular campaign
    • Low level in the past months due to strengthened website security


Binding Operational Directives (35:48)

  • BOD 17-01 on Kaspersky

    • Federal Changes:

      • July 11: GSA removed Kaspersky Lab from the list of approved vendors
      • September 13: DHS issued BOD 17-01
    • Kaspersky Lab

      • Russian cybersecurity & antivirus company
      • Founded by former software engineer for Soviet Military Intelligence
      • Made in caution to keep American information out of Russia

        • Eugene Kaspersky, the founder, has direct ties to the Soviet Military Intelligence Operations.
        • SORM – Russian program that inspects all traffic going through the Russian internet space
    • MS-ISAC Recommendations

      • SLTTs should follow the guidance in the federal directive
  • BOD 18-01 on Email & Web Security

    • The federal government must take certain steps to ensure that emails are who they are sent from, to prevent spoofing.
    • Internet traffic to websites owned by the government use https – which is the secure protocol for internet traffic.

      • This ensures internet traffic to federal sites are encrypted by default
      • No one sees what you’re browsing or the information you’re sending
    • MS-ISAC Recommendations

      • SLTTs should follow the guidance in the federal directive


KRACK Attack (39:14)

  • Key Reinstallation Attacks (KRACK)

    • An attack on encryption itself
    • WPA2 is type of security for WiFi connection – the best to use out of the 2 other options (vs WAP and WPA)
    • Targets 4-way handshake of WPA2 Protocol
    • Man-in-the-Middle attack
    • Forces nonce and session key reuse in WPA2
    • Weaknesses are in the Wi-Fi standard not individual implementations
    • Android and Linux can be tricked into using an all-zero encryption key


ROCA (41:36)

  • Vulnerability in an implementation of a particular type of encryption
  • RSA key generation due to a fault in an Infineon Technologies code library

  • Encryption is no longer secured, they could look like you online.
  • Expected to develop and affect law enforcement


What Can You Do? (43:09)

  • Low Hanging Fruit!

    • Designate someone to be responsible
    • Set expectations

      • What they should be doing
      • How they should be doing it
      • Resources available
      • Get leadership on the same page
    • Get your domain

      • Allows you to have an official email address
    • Patch, update
    • Use defensive software

      • Anti-virus
      • Anti-malware
    • Back-up
    • Train users

      • Social engineering
    • Enforce passwords standards

      • 10 characters or more
      • Upper and lowercase
      • Numbers
      • Symbols
    • Share intelligence

      • Get the word out
    • Work with the MS-ISAC
  • Share Information

    • Be prepared

      • Learn from others’ best practices
      • Gather intel to help you be proactive
    • Be willing to ask for help

      • Identify other resources to augment what you are doing
    • Be a part of the solution

      • Take part in information sharing

MS-ISAC (45:38)

  • 24×7 Security Operations Center
  • Central location to report any cybersecurity incidents
  • Services

    • Support

      • Network Monitoring Services
      • Research and Analysis
      • Incident Response
    • Analysis

      • Threats & Trends
      • Vulnerabilities
      • Attacks & TTPs
      • Cyber Threat Actor Activity
    • Reporting:

      • Cyber Alerts & Advisories
      • IP & Domain Monitoring
      • Automated Indicator Sharing
      • Strategic Intelligence
    • Monitoring of IP Range & Domain Space

      • IP Monitoring

        • IPs connecting to malicious C2s
        • Compromised IPs
        • Indicators of compromise from the MS-ISAC network monitoring (Albert)
        • Notifications from Spamhaus
      • Domain Monitoring

        • Notifications on compromised user credentials, open source, and third-party information
        • Vulnerability Management Program (VMP)
  • Who do I call?

    • To join or get more information: https://learn.cisecurity.org/ms-isac-registration
    • Security Operations Center (SOC)
    • SOC@msisac.org
    • 1-866-787-4722
    • 31 Tech Valley Dr., East Greenbush, NY 12061-4134
    • www.cisecurity.org


Quick poll

  • What is your experience level with the cybersecurity preparations of your agency? (03:57)

    • None – I’m here because I’m curious and want to learn 24%
    • Some – I get basic information/basic organizational briefings 46%
    • More than most – I’m on the team responsible for addressing cybersecurity or cyber response 16%
    • I’m responsible for the organization’s cybersecurity/responsiveness to cyber concerns 14%
  • Which of the following topic areas matter most to you? (select all that apply)

    • The current threat environment                                                          70%
    • How different types of attacks work                                                   70%
    • New and emerging malicious cyber activity and motivations         76%
    • Investigative techniques                                                                    62%
    • How to protect my agency                                                                68%




MS-ISAC Membership Registration



BOD 17-01 | DHS

BOD 18-01 | DHS

NH-ISAC BEC Workshop


For questions and clarifications, contact:


Senior Intelligence Program Manager


MS-ISAC 24×7 Security Operations Center





Would you recommend that first responder kind of organizations such as communications organizations, law enforcement agencies, that kind of thing, should they basically drill and train on what their procedures should be should they experience a cyber attack and their systems go down? (49:47)

Absolutely. It is such a critical environment that you need to be able to respond no matter what. It's really important to know what to do if you don't have a computer. These can shutdown dispatch, 911 access to the internet, you should know how to operate without a computer and still get the information you need to people who may be out in the field without any other connectivity device.


Are conference calls systems vulnerable? If so, is there a particular one you recommend for secure meetings? (51:09)

I cannot make recommendations like that (on providers) being a  DHS contractor.


Con-call systems can be vulnerable – yes.


If you're talking about a webinar system like we're using today. Webinar systems are transmitted over the internet, there is going to be some security, but these are not made to transmit classified information for a reason. A system like this is always vulnerable.


If you're talking about something like a Polycom, it is also vulnerable. Polycoms are in some ways just computer devices that happen to have a phone attached. They run over a voice-over IP, which means the data stream itself could potentially be vulnerable. The Polycom itself could have malware on it – I have actually seen this occur.


The easiest attack I have seen, occurred with a Polycom is when the agency did not switch its userID numbers for every new call. So once they gave out the call information, it was the same info used time and again – which meant if they had a call with you six months later, you can keep trying calling into that phone using the same guest ID and see if you will get through to a new phone call.

Additional Resources
2 years ago
State and Local CyberThreat Landscape
Individuals and organizations – be it public or private constantly strive towards security. As tec […]