Cybersecurity Conference Tabletop Exercise Recap

2 0 2 2 C y b e r s e c u r i t y C o n f e r e n c e
Security Challenges & Incident Response
O c t o b e r 1 2 , 2 0 2 2

Tyler Hudak
Tyler Hudak
Practice Lead - Incident
Response
Sr. IR Consultant
Practice Lead – Incident Response
Tyler.Hudak@TrustedSec.com
• 20+ years experience in Incident Response, Forensics,
and Security
• Trained/Presented at multiple conferences
• Huge geek and nerd
• Community ties:

Origin of This Talk
Search shodan.io for North Canton
See multiple Remote Desktop open

Agenda
• What is the impact of cyber crime?
• What can you expect when an
incident happens?
• What can you do to prevent
incidents from occurring?

Cyber Crime Impact
2021
Source: https://www.ic3.gov/Media/PDF/AnnualReport/2021_IC3Report.pdf

But its not that bad…right?
Don’t become complacent!
Most attacks are not reported or in
the news.

Who is attacking?
Organized Crime Hackers
State Sponsored Insiders

Why?
https://www.hackmageddon.com/2022/09/22/august-2022-cyber-attacks-statistics/

Most Common Attacks
Business E-mail Compromise:
$2.4 Billion
FBI Reported Ransomware:
$49.2 Million**
Unreported Ransomware:
$20+ Billion

Incidents are not a matter of if…
Prepare
Protect

Initial Foothold Reconnaissance
Lateral
Movement
Data Exfiltration
Deployment &
Encryption
Payment
or
Extortion
Attacker enters
environment.
• Phishing
• Supply Chain
• Remote Access
Your environment is
researched.
• What do you do?
• Where is your
data?
• Where are your
critical systems?
Attacker becomes
admin.
Moves through your
network to find your
data.
Sensitive data is sent
out.
Attacker will use this to
extort you.
Ransomware
encryption program is
pushed to as many
systems as possible.
Attacker demands
payment to:
• Decrypt
• Not release data
Hours to months Hours to days Minutes to
Hours
Days to Months
Ransomware Lifecycle

How do attackers get in?
• Phishing
• Remote Access
• https://shodan.io
• Credential Reuse
• https://haveibeenpwned.com
• Supply Chain
• MSP, HVAC, etc.

Incident Discovery
Security Alerts
3rd Party
Notification
Users
Attack Specific

The First Few Minutes
• Don’t panic.
• Follow your plan.
• Don’t have a plan? Create one now.
• Isolate compromised systems, users and
networks.
• Shut down as last resort.
• Don’t panic.

Who Ya Gonna Call?
Do you have the resources and expertise
to take care of the incident?
Cyber
Insurance
Incident
Response
Legal
Crisis
Communication
s
IT Support
Law
Enforcement
Can your MSP/IT do IR?
Don’t wait to call
Talk to Legal about this
What do they provide?
Internal or external?
Stay ahead of the
story

Investigate
• How did they get in (RCA)?
• What did they do?
• What data was stolen?
• Who was compromised?
• Can you recover?
Don’t skip this step!!!
You can recover while
you investigate.

Root Cause Analysis Case
Company hit
with
ransomware
Wanted quick
analysis, no
root cause
analysis
Did not
engage any
IR companies
Hit with
ransomware
2 weeks later

Attackers steal data to sell it
But we don’t have data anyone wants!
• Employee Information
• Project Data
• Client Information
• Internal Emails
• Personal Information
• Financials

Do Attackers Really Release Data?

Eradicate and Recover
• Are your backups intact /
trustworthy?
• How far back do you have to
restore?
• How long will it take to fully restore?
• Who will validate the restoration?
Questions To Ask Steps to Recovery
• Find all compromised systems
• Rebuild systems from clean image
on clean network
• Restore data from backup
• Remove/Reset all affected accounts

What if you can’t recover?
Ransom Payment Questions to Consider
Would you pay the ransom?
How?
Who is
paying?
What if you
can’t pay?

Its all over…
• Create an after action report
• Hold a lessons learned meeting
• Discuss the good and the bad
• Do not finger point

Prevention and
Protection
6 Things You Can Do

1. Have a plan
• Document tech and business
responsibilities
• Know who to contact
• Set up these relationships BEFORE an
incident occurs
• Test your plan!

2. Use Strong Passwords
• No Double Dipping:
Not good with Chips
Not good with Passwords!
• Use Passphrases not
• Use a Password Manager!

Password Managers
• 1Password - https://1password.com
• KeePass (free) - https://keepass.info
• LastPass - https://lastpass.com
• Dashlane – https://dashlane.com

3. Multifactor Authentication (MFA)
• Use everywhere you can!
• Apps are better than text messages
• Don’t push approve unless its really
you!
Beware of MFA
Fatigue Attacks!

4. Take Backups
• Protect your backups!
• Store offline / tape
• Test restorations

5. Talk to Your Users
• Users may see attacks before they
are detected
• Educate them on what to look for
• Give them a method on how to
respond
• Never shame/fire someone over
getting compromised
Look for these signs in your email:
• Poor grammar or graphics
• Bogus E-Mail Address
• Aggressive call to action
• Links don’t match

6. Stay Updated
• Get updates from a trusted source
• Enable Automatic Updates
• Restart your system regularly

Questions?
Tyler Hudak
Tyler.Hudak@trustedsec.com
@secshoggoth

2 0 2 2 C y b e r s e c u r i t y C o n f e r e n c e
Tabletop Exercise
O c t o b e r 1 2 , 2 0 2 2

Incident Response
Tabletop Exercise Goals
• Effectiveness of Incident Response Policy;
• Incident Response capabilities; and
• Interactions between Incident Response teams.
Gain experience with a real-world situation and test:
Everyone has a plan until they get punched in the face.
- Mike Tyson

The Situation
You work at a medium sized manufacturing company with 50 employees. You
have a small IT team, but no dedicated security people.
Budget has been tight but you’ve been able to improve security somewhat.
You’ve been able to purchase:
• Advanced endpoint protection software
• Cyber Insurance

Saturday 8AM
You receive a call on a Saturday morning at 8AM.
Employees coming in for the weekend shift have found that systems are not
working.
The following note is popping up on everyone’s computers.

First Steps
You must make a quick decision on what
to do.
Shut down every system in the environment.
Use your endpoint security system to isolate
compromised systems.

Shut Down Systems
You quickly shut down systems.
This is effective at stopping the spread of the ransomware.
However, investigative teams are unable to reconstruct the
attacker’s full activity because key pieces of forensic data were
lost.

Isolate Systems
While this takes some time, your new endpoint software is
effective at isolating systems.
It turns out that the ransomware had already run its course by the
time you responded and had compromised everything it was going
to.
By not shutting down systems, investigative teams were able to
reconstruct much of the attacker’s activities.

A Little Breather
The attack has been momentarily contained. Some
senior leadership want to begin notifying clients
while others want to contact insurance.
Who do you contact?
Contact cyber insurance.
Contact clients to let them know you are
down.

Contact Clients
You begin to reach out to clients immediately and let them know
the organization has been compromised.
Clients begin asking more and more questions, and your staff (and
sales and communications) are soon overwhelmed.
Within hours, the media has begun to call and ask questions for
their upcoming story on your breach.

Contact Cyber Insurance
You were diligent with your cyber insurance policy to ensure that
activating it gives you access to a:
• Breach Coach
• Incident Response Firm
• Crisis Communications Firm
Soon you are receiving good advice and are well on your way to
getting back online.

What happened?
With your third parties assisting, you have time to determine the scope
of the incident. Initial indications are the attackers broke in through a
phishing attack.
Your IR team states they have not finished their investigation.
However, you have pressure from clients and leadership to bring things
back online ASAP.
What do you do first?
Start recovery
Investigate the incident further

Recovery
Through luck, the attackers were unable to remove backups so
you can recover systems quickly.
Unfortunately, without a complete investigation, you did not
determine when the original attack occurred.
Due to this, you restored attacker backdoors into the environment,
allowing them back in.
They re-encrypted all systems and did not make the same mistake
about missing the backups.

Investigate
You allow the IR team to complete their investigation.
The team finds backdoors installed on several
workstations and pinpoints the exact date of initial
compromise.
This allows you to complete restoration without allowing
the attacker to reenter the environment.

The End
The incident is over and everything has been
restored. This was a tough ordeal and many just
want a break to put it behind you.
Do you?
Discuss what happened
Count your blessings and move on

Do Nothing
You, and everyone else, are relieved that the incident is over. You
move on, catching up on the projects that got delayed due to the
attack.
Unfortunately, since no post-incident lessons learned meetings
were held, weeks later a user falls for a phishing attack which
allows another group into the environment.
It starts again.

Lessons Learned
Despite the fatigue, you know post incident meetings are a must.
You hold these and determine that your users are not educated
enough about phishing attacks.
Leadership grants you money to educate users, get better
protections, and perform your own phishing tests.
Weeks later, a user reports a phish they received. Analysis
determined that it was sent from another ransomware group.
Disaster averted.

Congratulations!!!
You made it through the
ransomware attack!

Thank You!
Tyler Hudak
Tyler.Hudak@trustedsec.com
@secshoggoth

Legal Perspective on Cybersecurity:
Pre-breach Planning, Incident Response & Ransomware Negotiation
Jarman J. Smith, Brouse McDowell
3rd Annual Rea & Associates
Cybersecurity Conference with Walsh University
October 12, 2022

Agenda
Introduction
U.S. Legal Privacy Framework
Pre-Breach Planning/Compliance
Incident Response
Ransomware Negotiation
Questions
1

Introduction
Jarman J. Smith
• Associate Attorney at Brouse McDowell
• Corporate Practice Group
• Cybersecurity & Data Privacy Team
• Helps organizations with:
• Privacy law compliance
• Pre-breach planning
• Incident response requirements
2

The Facts
• Reported: 3 out of 4 organizations have fallen victim to ransomware
• Cybercriminals can penetrate 93% of company networks
• Average cost of a data breach in U.S. is $4.24 million
• 30% of data breaches in U.S. involve internal actors
• Small business survey: Only about 50% felt prepared for an attack
3

No organization is completely safe…
Image: https://www.pitsasinsurances.com/en/article/cyber-attack-insurances/
4

U.S. Legal Privacy Framework
• Heavily influenced by European regulations
• No single comprehensive federal law – different laws based on industries
• Financial Privacy (e.g., GLBA)
• Educational Privacy
• Health Privacy (e.g., HIPAA)
• Section 5 of FTC Act prohibiting deceptive and unfair practices
• Pending federal law – American Data Privacy and Protection Act
• State laws
• Data Breach Notification – All 50 states and most territories
• State financial privacy laws (many states have incorporated PCI DSS into laws)
• California, Colorado, Connecticut, Delaware, Ohio, Utah and Virginia
6

Pre-Breach Planning/Compliance
• Understand your current cybersecurity posture
• Determine applicable regulations
• Implement written policies and procedures
• Encrypt and back up critical data
• Manage and regulate vendor relationships
• Obtain adequate cyber insurance
• Train your employees!
7

Incident Response
• Preparation
• Threat Detection
• Containment
• Investigation
• Eradication
• Recovery
• Follow-Up
8

Ransomware Negotiation
• You need a team!
• Independent IT specialists
• Legal advisors
• Law enforcement
• Insurance agents
• Reputation of attacker? (FBI records)
• Work within parameters set by attacker
• Obtain verifiable proof of data
• Leverage: Recoverable data
• Review insurance policies
• Be informed before making decisions
10

QUESTIONS?
Jarman J. Smith
jsmith@brouse.com
(330) 532-7641

3744 Starr Centre Dr, Canfield, OH 44406
Mercy A. Komar, CIC, cyRM, MLIS
Cyber Risk Manager, Commercial Lines Manager
Email: mkomar@lcalvinjones.com
Office #: (330) 533-1195 x224
Office Fax #: (330) 533-8200
Website: www.lcalvinjones.com

CMMC 2.0
12 October 2022
Matthew Travis
CEO

 One Year Later, Where Are We?
 What Has Changed
‒ The CMMC Model
‒ CMMC Rules
‒ Our Name, Brand, and Organization
 CMMC Rulemaking
 Voluntary Assessments
 Status of the CMMC Ecosystem
 Life as a CMMC Assessor
 Big Remaining Issues
‒ Cost
‒ Legal Consequences
‒ Reciprocity
‒ The Cloud
 Ethics
 Help is Out There
 The Future 73
Cybersecurity Maturity Model Certification (CMMC)

‒ The CMMC Model
‒ CMMC Rules
 CMMC Rulemaking
‒ Cost
‒ Reciprocity
‒ The Cloud
 Ethics
 The Future 74

75
LEVEL 3
Expert
LEVEL 2
Advanced
LEVEL 1
Foundational
110+
practices based on NIST SP
800-172
110
practices aligned with NIST
SP 800-171
17
practices
Triennial
Gov’t-led
Triennial
Third-Party
Annual
Self-Assessment
CUI, highest priority programs
CUI, prioritized acquisitions
CUI, non-prioritized
acquisitions
FCI, not critical to national security
Model Assessments
CMMC 2.0

‒ The CMMC Model
‒ CMMC Rules
 CMMC Rulemaking
‒ Cost
‒ Reciprocity
‒ The Cloud
 Ethics
 The Future 76

‒ The CMMC Model
‒ CMMC Rules
 CMMC Rulemaking
‒ Cost
‒ Reciprocity
‒ The Cloud
 Ethics
 The Future 77

‒ The CMMC Model
‒ CMMC Rules
 CMMC Rulemaking
‒ Cost
‒ Reciprocity
‒ The Cloud
 Ethics
 The Future 78

‒ The CMMC Model
‒ CMMC Rules
 CMMC Rulemaking
‒ Cost
‒ Reciprocity
‒ The Cloud
 Ethics
 The Future 79

‒ The CMMC Model
‒ CMMC Rules
 CMMC Rulemaking
‒ Cost
‒ Reciprocity
‒ The Cloud
 Ethics
 The Future 80

‒ The CMMC Model
‒ CMMC Rules
 CMMC Rulemaking
‒ Cost
‒ Reciprocity
‒ The Cloud
 Ethics
 The Future 81

‒ The CMMC Model
‒ CMMC Rules
 CMMC Rulemaking
‒ Cost
‒ Reciprocity
‒ The Cloud
 Ethics
 The Future 82

‒ The CMMC Model
‒ CMMC Rules
 CMMC Rulemaking
‒ Cost
‒ Reciprocity
‒ The Cloud
 Ethics
 The Future 83

‒ The CMMC Model
‒ CMMC Rules
 CMMC Rulemaking
‒ Cost
‒ Reciprocity
‒ The Cloud
 Ethics
 The Future 84

Cyber Hygiene
Is Your Business At Risk?
Loren Wagner
lwagner@centracomm.net

Loren Wagner
Director of Risk
Loren is actively engaged in helping organizations become more secure and compliant by
performing risk assessments and advisory services based on the NIST Cybersecurity
Framework, NIST SP 800-171, and the DoD’s Cybersecurity Maturity Model Certification
(CMMC) program. Loren is a designated CMMC-AB Registered Practitioner.
Prior to joining CentraComm, Loren held global senior management positions for a major
manufacturer in information security, networking, and data center operations. Loren is a
respected expert in his field and has presented papers and provided dozens of
presentations to organizations regarding risk mitigation, cybersecurity & information
technology. Loren has a Doctorate in Information Assurance from the University of Fairfax,
an MBA from The University of Findlay and a Certificate in Security Management from the
National Defense University. A part-time lecturer at the University of Findlay for more than
20 years, he played a major role in the development of their Information Assurance
Program. Loren is a veteran of the U.S. Air Force.

Discussion Topics
Threat Overview
 Who Are The Targets?
 The Statistics
Cybersecurity Take-Aways & Action Steps
 8 Critical Factors To Protect Your Business
 Framework Adoption
 The Legal Aspect
Wrap Up

The Daily Barrage
Practically every day, we see news
articles or receive alerts relating to
another organization falling victim
to a ransomware attack or this
season’s scam.
 Uber
 Lee County Emergency
Medical Services
 New Hampshire Lottery
 Twitter
 Molson Coors
 Marriott
 California DMV
 Michigan State University

The Totality of Loses
https://www.ic3.gov/Media/PDF/AnnualReport/2021_IC3Report.pdf
FBI’s Internet Crime Complaint Center (IC3)

Prevalent Events

What Business You Are In Doesn’t Matter!
“I’ve seen hairdressers, tire shops, paving places…they don’t think
they’re going to be the victim, but anyone can be the victim of a
cyber crime.”
 SAMANTHA BALTZERSEN, SUPERVISORY SPECIAL AGENT, FBI CYBER SQUAD

Do you know…
 Businesses lost around $8,500 per
hour due to ransomware-induced
downtime. - Govtech
 Most affected clients actually
experienced 3 to 14 days of
downtime. – NinjaRMM
 According to RSA Security, the
future of this growing threat will
include not just a lockdown on
integral files and folders, but access
to networks and accounts. - RSA Security

Key Statistics
 43% of all data breaches involve small and medium-sized businesses
 43% of SMBs do not have any cybersecurity plan in place
 61% of all SMBs have reported at least one cyber attack during the previous
year
 83% of small and medium-sized businesses are not financially prepared to
recover from a cyber attack
 91% of small businesses haven’t purchased cyber liability insurance
 One in five small companies does not use endpoint security
https://www.forbes.com/sites/chuckbrooks/2022/01/21/cybersecurity-in-2022--a-fresh-look-at-some-very-alarming-stats/?sh=5fdd99d56b61

Top 10 States Reporting
What Can a
Small Busines
Do To Prevent
Becoming One
of These
Statistics?

What If This Were To Happen To My Company?
 Am I completely helpless
and unable to defend
against these business-
impacting events?
 If there are steps to avoid
becoming a victim, what are
they?

The Answer: Practice Cybersecurity Hygiene
Almost all successful
attacks take advantage of
conditions that could
reasonably be described
as “poor cyber hygiene.”
*Tony Sager is a Senior Vice President and Chief Evangelist for CIS (The Center for Internet Security). In this role, he leads the development of the CIS
Controls, a worldwide consensus project to find and support technical best practices in cybersecurity, August 2020.

Cybersecurity Hygiene
“Relatively simple, well-defined
actions:
 Patching Known Vulnerabilities
 Management of Privileges
 Proper Configuration
Management
can provide significant value - but
not a complete cure - for many cyber
health problems.” – T Sager, August 2020

How Do I Understand My Vulnerabilities?
Effective Cyber Hygiene is all about Risk Management
A Vulnerability Assessment can start you down the right
path

Effective Cyber Hygiene = Risk Management
8 Critical Factors

#1 - Appropriate Policies
Examples:
 Acceptable Use
 Change Management
 Configuration Management
 Access Management

#2 - Patching Considerations of Known Vulnerabilities
Operating Systems:
 Microsoft Windows
 Apple OS
Applications:
 Adobe Products
 Browsers
 ITunes
 Java
 Microsoft Office Products
Older, unused products

#3- Management of Privileges: Proper Credentials
Follow the concept of “least privilege”.
 Do not use Privileged or
Administrative Accounts if not
needed for the task
 Removing admin rights could have
mitigated 75% of critical vulnerabilities
according to Microsoft 2022
vulnerabilities report
 PC & Laptop accounts often are
created with Admin Privilege –
remove this access
 Such access is particularly
dangerous when surfing the web

#4- Proper Configuration Management
Often PCs, Laptops, & Servers
are run with installations out of
the box:
Remove default accounts
that are not needed
Change default passwords
Use Windows Firewall
Use Windows A/V

#5 - Backup & Recovery: Backup Important Data
Backup devices regularly
Maintain offline copies
Make sure you can recover
files from backups

#6 – Build Awareness
Recognizing the Human Factor
“We all need to be a part of this fight
against the cyber attackers. We all
matter. One person in a company can
be the determining factor whether or
not that company’s cyber defenses are
going to work or fail.”
SAMANTHA BALTZERSEN, SUPERVISORY SPECIAL AGENT, FBI
CYBER SQUAD

#7 - Incident Management
Incident Response
Run tabletop exercises
Repeat process on a regular
basis

#8 – Multi-Factor Authentication (MFA)
Remote Accounts
Admin Accounts
Sensitive Data Access
A must have for Cyber
Insurance

Ransomware Example
Bitcoins = $19,514.80 each (as of 9/30/2022)

Relevant Frameworks
NIST Cybersecurity
Framework
NIST 800-171
CIS Critical Security
Controls

Legal Factors
Data Protection Act
Ohio Senate Bill 0220
Intended to provide businesses with an
incentive, a safe harbor, by maintaining a
cybersecurity program that substantially
complies with one of eight industry
recommended frameworks
https://www.legislature.ohio.gov/legislation/legislation-summary?id=GA132-SB-220

Legal Factors
Security Breach
Security Breach Notification Act (ORC 1349.19)
Consumers must be notified of any security
breach to stored personal information that
may reasonably cause a material risk of
identity theft or other fraud
Consumers must be notified in the quickest
way possible, but not later than 45 days after
the breach is discovered.
https://www.ohioattorneygeneral.gov/Business/Services-for-Business/Business-Guide/Personal-Information-
for-Consumers#:~:text=Do%20consumers%20need%20to%20be,identity%20theft%20or%20other%20fraud

Preparation Is Key
 Execute Plans For Maintaining Cyber Hygiene
 Consider MSP Services
 Implement Multi-Factor Authentication
 Have Backups and Test Your Backups Regularly
 Know How Long It Will Take To Recover
 Consider Cyber Insurance
 Strongly Recommend A Vulnerability Assessment
“It is not a matter of if you are attacked, it is a matter of when.” Be Prepared!

CentraComm Overview
Founded in 2001, CentraComm is an IT cybersecurity, network
infrastructure, and compliance provider that operates as an extension of
your IT department:
 Provides IT risk, managed, and professional services supporting
customer’s business goals and strategic business technology initiatives
 Has around-the-clock engineering team and value-added services that
deliver peace of mind for customers
 Utilizes top technology supported by industry-certified, top-level talent
 Has two Data Centers supporting Co-Location, Disaster Recovery, etc.
 Supports Fortune 50, educational institutions, and small to medium-sized
businesses allowing them to innovate efficiently, be compliant, and
remain secure

THANK YOU
www.centracomm.net

CMMC Panel
Paul Hugenberg
Rea & Associates
(330) 651-7040
paul.hugenberg@reacpa.com
Ty Whittenburg
Vernovis
(614) 467-0762
twhittenburg@vernovis.com
Steve Naughton
Vestige
(330) 721-1205 x5783
snaughton@vestigeltd.com

U/FOUO//LES
U.S. Secret Service
Cyber Fraud Task Force
Business Email Compromise Attacks

U/FOUO//LES
Knowledge is Power
“In a time of turbulence and change, it is more true than
ever that knowledge is power.”
-John F. Kennedy
121
Business Email Compromise is driven by
the interception, and subsequent
weaponization of contemporaneous and
privileged information

U/FOUO//LES
Threat Vector - Everyone
122
Everyone
Business Email Compromise can affect the largest global
corporations all the way down to the individual consumer

U/FOUO//LES
Evolution of BEC
123
BEC is an amalgam of several
fraud schemes that have evolved
into one overarching scheme
Using malware,
privileged
information is
uncovered and
exploited through
various legacy
phishing schemes
Phishing
More elaborate fraud
schemes are
developed that target
high level and C-Suite
employees
Whaling
Sensitive/proprietary
business information
allows fraudsters to
impersonate c-suite
and supervisory
employees
CEO
Imperson
ation

U/FOUO//LES
Threat Vectors
124
Duality of Scheme Creates
Multiple Vectors of Vulnerability
BEC is focused on Business side
exploitation
The IT system of a business is
infiltrated, and privileged emails
can be accessed, diverted, and
read by bad actors
EAC is focused on personal email
intrusion
A personal email account (e.g.
gmail, yahoo, hotmail, etc) is
infiltrated by bad actors
Often the financial victim has not been
compromised

U/FOUO//LES
Enterprise Business Model
125
Operate as businesses – Top to bottom model
Department Description
C-Suite Sets design and targets businesses – Eastern Europe, West Africa
IT Wing Carries out hacking, malware, email monitoring – Global
HR/Recruitment Recruits IT wing, financial actors – Eastern Europe, West Africa
Finance/Banking Sets process for wire transfers and Money Laundering – Global, Local
Enforcers Ensures financial cooperation and following of orders – Global
Admins Maintain shell companies and legitimate business liaisons – Local
Burn party After successful schemes, enterprise burns all materials – Global

U/FOUO//LES
Global BEC Activity
126
Eastern Europe
West Africa
China &
Hong Kong
Israel/M.E.

U/FOUO//LES
Operational Tactic – Email Rules
127
 Once the criminal actors gain access to email accounts, the most
common form of surveillance is to set up email rules in the
account settings to auto-forward, then delete the auto-
forwarded emails to avoid detection.
 Other than the email rule, no evidence of the surveillance is
visible. This allows the actor to remotely monitor the account
even if the password is changed
 If the password or access method remains the same, the criminal
actor will manipulate the victim's inbox to prevent detection or
to further facilitate the fraudulent transactions

U/FOUO//LES
Attack Tactics
Addition @gmail.com, @yahoo.com, @yahoo.fr
Realemail.realdomain@gmail.com
Display Name masking & google dot matrix
Email Service providers allow a display name to replace actual email address
secret.service@gmail.com reverts back to secretservice@gmail.com
Spoofed email addresses
mike@email.com vs. rnike@email.com
Lincoln@email.com vs. Iincoln@email.com
Changed/Spoofed domain names
www.secureworld.com vs www.securevvorld.com
Full email account take over and VPN Access
128

U/FOUO//LES
Actual Phishing Attack
129

U/FOUO//LES
The Hook is Set
130

U/FOUO//LES
Intrusion Successful, Rules added
131

U/FOUO//LES
Attack Email 1
132

U/FOUO//LES
Attack Email 2
133

U/FOUO//LES
Emerging Trends
134
Rise in use of cryptocurrency as means to launder funds – direct/second
hop/third hop
Exploitation factor increase
“Pig Butchering”
Continued use of Ancillary Fraud Schemes
Increasingly sophisticated phishing sites being used to harvest credentials
Consent-based Phishing/Malicious App use
Deepfakes/AI/Machine Learning arrive in cyber fraud world
Phishing as a service – Phishing kit usage expanding – Non-Technical Actors
Industry and target indiscriminate
Geographic and threat actor expansion

U/FOUO//LES
Key Takeaways
135
Monitor email environment for unauthorized email
rules
Have a practiced incident response plan
https://www.secretservice.gov/investigation/Preparing-
for-a-Cyber-Incident
Public/Private Partnerships are instrumental
Information Sharing is Key – REPORT
Contact USSS
https://www.secretservice.gov/contact/field-offices
USSS Cleveland: 216-750-2058

Cybersecurity Conference Tabletop Exercise Recap

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à Cybersecurity Conference Tabletop Exercise Recap

Similaire à Cybersecurity Conference Tabletop Exercise Recap (20)

Plus de Rea & Associates

Plus de Rea & Associates (20)

Dernier

Dernier (20)

Cybersecurity Conference Tabletop Exercise Recap

Notes de l'éditeur