The speaker discusses changes to the Cybersecurity Maturity Model Certification (CMMC) program over the past year, including changes to the CMMC model, rules, and the organization administering the program. Voluntary assessments are now taking place and the CMMC ecosystem of assessors, trainers, and consultants is developing. Remaining challenges include high costs of compliance, legal consequences, reciprocity between government agencies, and issues with cloud computing. The speaker stresses the importance of ethics and offers that help is available for organizations navigating CMMC requirements.
Model Call Girl in Bawana Delhi reach out to us at 🔝8264348440🔝
Cybersecurity Conference Tabletop Exercise Recap
1.
2. 2 0 2 2 C y b e r s e c u r i t y C o n f e r e n c e
Security Challenges & Incident Response
O c t o b e r 1 2 , 2 0 2 2
3. Tyler Hudak
Tyler Hudak
Practice Lead - Incident
Response
Sr. IR Consultant
Practice Lead – Incident Response
Tyler.Hudak@TrustedSec.com
• 20+ years experience in Incident Response, Forensics,
and Security
• Trained/Presented at multiple conferences
• Huge geek and nerd
• Community ties:
4. Origin of This Talk
Search shodan.io for North Canton
See multiple Remote Desktop open
5. Agenda
• What is the impact of cyber crime?
• What can you expect when an
incident happens?
• What can you do to prevent
incidents from occurring?
13. Initial Foothold Reconnaissance
Lateral
Movement
Data Exfiltration
Deployment &
Encryption
Payment
or
Extortion
Attacker enters
environment.
• Phishing
• Supply Chain
• Remote Access
Your environment is
researched.
• What do you do?
• Where is your
data?
• Where are your
critical systems?
Attacker becomes
admin.
Moves through your
network to find your
data.
Sensitive data is sent
out.
Attacker will use this to
extort you.
Ransomware
encryption program is
pushed to as many
systems as possible.
Attacker demands
payment to:
• Decrypt
• Not release data
Hours to months Hours to days Minutes to
Hours
Days to Months
Ransomware Lifecycle
14. How do attackers get in?
• Phishing
• Remote Access
• https://shodan.io
• Credential Reuse
• https://haveibeenpwned.com
• Supply Chain
• MSP, HVAC, etc.
16. The First Few Minutes
• Don’t panic.
• Follow your plan.
• Don’t have a plan? Create one now.
• Isolate compromised systems, users and
networks.
• Shut down as last resort.
• Don’t panic.
17. Who Ya Gonna Call?
Do you have the resources and expertise
to take care of the incident?
Cyber
Insurance
Incident
Response
Legal
Crisis
Communication
s
IT Support
Law
Enforcement
Can your MSP/IT do IR?
Don’t wait to call
Talk to Legal about this
What do they provide?
Internal or external?
Stay ahead of the
story
18. Investigate
• How did they get in (RCA)?
• What did they do?
• What data was stolen?
• Who was compromised?
• Can you recover?
Don’t skip this step!!!
You can recover while
you investigate.
19. Root Cause Analysis Case
Company hit
with
ransomware
Wanted quick
analysis, no
root cause
analysis
Did not
engage any
IR companies
Hit with
ransomware
2 weeks later
20. Attackers steal data to sell it
Source: https://www.ic3.gov/Media/PDF/AnnualReport/2021_IC3Report.pdf
But we don’t have data anyone wants!
• Employee Information
• Project Data
• Client Information
• Internal Emails
• Personal Information
• Financials
22. Eradicate and Recover
• Are your backups intact /
trustworthy?
• How far back do you have to
restore?
• How long will it take to fully restore?
• Who will validate the restoration?
Questions To Ask Steps to Recovery
• Find all compromised systems
• Rebuild systems from clean image
on clean network
• Restore data from backup
• Remove/Reset all affected accounts
23. What if you can’t recover?
Ransom Payment Questions to Consider
Would you pay the ransom?
How?
Who is
paying?
What if you
can’t pay?
24. Its all over…
• Create an after action report
• Hold a lessons learned meeting
• Discuss the good and the bad
• Do not finger point
26. 1. Have a plan
• Document tech and business
responsibilities
• Know who to contact
• Set up these relationships BEFORE an
incident occurs
• Test your plan!
27. 2. Use Strong Passwords
• No Double Dipping:
Not good with Chips
Not good with Passwords!
• Use Passphrases not
• Use a Password Manager!
29. 3. Multifactor Authentication (MFA)
• Use everywhere you can!
• Apps are better than text messages
• Don’t push approve unless its really
you!
Beware of MFA
Fatigue Attacks!
30. 4. Take Backups
• Protect your backups!
• Store offline / tape
• Test restorations
31. 5. Talk to Your Users
• Users may see attacks before they
are detected
• Educate them on what to look for
• Give them a method on how to
respond
• Never shame/fire someone over
getting compromised
Look for these signs in your email:
• Poor grammar or graphics
• Bogus E-Mail Address
• Aggressive call to action
• Links don’t match
32. 6. Stay Updated
• Get updates from a trusted source
• Enable Automatic Updates
• Restart your system regularly
36. 2 0 2 2 C y b e r s e c u r i t y C o n f e r e n c e
Tabletop Exercise
O c t o b e r 1 2 , 2 0 2 2
37. Incident Response
Tabletop Exercise Goals
• Effectiveness of Incident Response Policy;
• Incident Response capabilities; and
• Interactions between Incident Response teams.
Gain experience with a real-world situation and test:
Everyone has a plan until they get punched in the face.
- Mike Tyson
38. The Situation
You work at a medium sized manufacturing company with 50 employees. You
have a small IT team, but no dedicated security people.
Budget has been tight but you’ve been able to improve security somewhat.
You’ve been able to purchase:
• Advanced endpoint protection software
• Cyber Insurance
39. Saturday 8AM
You receive a call on a Saturday morning at 8AM.
Employees coming in for the weekend shift have found that systems are not
working.
The following note is popping up on everyone’s computers.
40.
41. First Steps
You must make a quick decision on what
to do.
Shut down every system in the environment.
Use your endpoint security system to isolate
compromised systems.
42. Shut Down Systems
You quickly shut down systems.
This is effective at stopping the spread of the ransomware.
However, investigative teams are unable to reconstruct the
attacker’s full activity because key pieces of forensic data were
lost.
43. Isolate Systems
While this takes some time, your new endpoint software is
effective at isolating systems.
It turns out that the ransomware had already run its course by the
time you responded and had compromised everything it was going
to.
By not shutting down systems, investigative teams were able to
reconstruct much of the attacker’s activities.
44. A Little Breather
The attack has been momentarily contained. Some
senior leadership want to begin notifying clients
while others want to contact insurance.
Who do you contact?
Contact cyber insurance.
Contact clients to let them know you are
down.
45. Contact Clients
You begin to reach out to clients immediately and let them know
the organization has been compromised.
Clients begin asking more and more questions, and your staff (and
sales and communications) are soon overwhelmed.
Within hours, the media has begun to call and ask questions for
their upcoming story on your breach.
46. Contact Cyber Insurance
You were diligent with your cyber insurance policy to ensure that
activating it gives you access to a:
• Breach Coach
• Incident Response Firm
• Crisis Communications Firm
Soon you are receiving good advice and are well on your way to
getting back online.
47. What happened?
With your third parties assisting, you have time to determine the scope
of the incident. Initial indications are the attackers broke in through a
phishing attack.
Your IR team states they have not finished their investigation.
However, you have pressure from clients and leadership to bring things
back online ASAP.
What do you do first?
Start recovery
Investigate the incident further
48. Recovery
Through luck, the attackers were unable to remove backups so
you can recover systems quickly.
Unfortunately, without a complete investigation, you did not
determine when the original attack occurred.
Due to this, you restored attacker backdoors into the environment,
allowing them back in.
They re-encrypted all systems and did not make the same mistake
about missing the backups.
49. Investigate
You allow the IR team to complete their investigation.
The team finds backdoors installed on several
workstations and pinpoints the exact date of initial
compromise.
This allows you to complete restoration without allowing
the attacker to reenter the environment.
50. The End
The incident is over and everything has been
restored. This was a tough ordeal and many just
want a break to put it behind you.
Do you?
Discuss what happened
Count your blessings and move on
51. Do Nothing
You, and everyone else, are relieved that the incident is over. You
move on, catching up on the projects that got delayed due to the
attack.
Unfortunately, since no post-incident lessons learned meetings
were held, weeks later a user falls for a phishing attack which
allows another group into the environment.
It starts again.
52. Lessons Learned
Despite the fatigue, you know post incident meetings are a must.
You hold these and determine that your users are not educated
enough about phishing attacks.
Leadership grants you money to educate users, get better
protections, and perform your own phishing tests.
Weeks later, a user reports a phish they received. Analysis
determined that it was sent from another ransomware group.
Disaster averted.
56. Legal Perspective on Cybersecurity:
Pre-breach Planning, Incident Response & Ransomware Negotiation
Jarman J. Smith, Brouse McDowell
3rd Annual Rea & Associates
Cybersecurity Conference with Walsh University
October 12, 2022
58. Introduction
Jarman J. Smith
• Associate Attorney at Brouse McDowell
• Corporate Practice Group
• Cybersecurity & Data Privacy Team
• Helps organizations with:
• Privacy law compliance
• Pre-breach planning
• Incident response requirements
2
59. The Facts
• Reported: 3 out of 4 organizations have fallen victim to ransomware
• Cybercriminals can penetrate 93% of company networks
• Average cost of a data breach in U.S. is $4.24 million
• 30% of data breaches in U.S. involve internal actors
• Small business survey: Only about 50% felt prepared for an attack
3
60. No organization is completely safe…
Image: https://www.pitsasinsurances.com/en/article/cyber-attack-insurances/
4
62. U.S. Legal Privacy Framework
• Heavily influenced by European regulations
• No single comprehensive federal law – different laws based on industries
• Financial Privacy (e.g., GLBA)
• Educational Privacy
• Health Privacy (e.g., HIPAA)
• Section 5 of FTC Act prohibiting deceptive and unfair practices
• Pending federal law – American Data Privacy and Protection Act
• State laws
• Data Breach Notification – All 50 states and most territories
• State financial privacy laws (many states have incorporated PCI DSS into laws)
• California, Colorado, Connecticut, Delaware, Ohio, Utah and Virginia
6
63. Pre-Breach Planning/Compliance
• Understand your current cybersecurity posture
• Determine applicable regulations
• Implement written policies and procedures
• Encrypt and back up critical data
• Manage and regulate vendor relationships
• Obtain adequate cyber insurance
• Train your employees!
7
66. Ransomware Negotiation
• You need a team!
• Independent IT specialists
• Legal advisors
• Law enforcement
• Insurance agents
• Reputation of attacker? (FBI records)
• Work within parameters set by attacker
• Obtain verifiable proof of data
• Leverage: Recoverable data
• Review insurance policies
• Be informed before making decisions
10
73. One Year Later, Where Are We?
What Has Changed
‒ The CMMC Model
‒ CMMC Rules
‒ Our Name, Brand, and Organization
CMMC Rulemaking
Voluntary Assessments
Status of the CMMC Ecosystem
Life as a CMMC Assessor
Big Remaining Issues
‒ Cost
‒ Legal Consequences
‒ Reciprocity
‒ The Cloud
Ethics
Help is Out There
The Future 73
Cybersecurity Maturity Model Certification (CMMC)
74. One Year Later, Where Are We?
What Has Changed
‒ The CMMC Model
‒ CMMC Rules
‒ Our Name, Brand, and Organization
CMMC Rulemaking
Voluntary Assessments
Status of the CMMC Ecosystem
Life as a CMMC Assessor
Big Remaining Issues
‒ Cost
‒ Legal Consequences
‒ Reciprocity
‒ The Cloud
Ethics
Help is Out There
The Future 74
Cybersecurity Maturity Model Certification (CMMC)
75. 75
Cybersecurity Maturity Model Certification (CMMC)
LEVEL 3
Expert
LEVEL 2
Advanced
LEVEL 1
Foundational
110+
practices based on NIST SP
800-172
110
practices aligned with NIST
SP 800-171
17
practices
Triennial
Gov’t-led
Triennial
Third-Party
Annual
Self-Assessment
CUI, highest priority programs
CUI, prioritized acquisitions
CUI, non-prioritized
acquisitions
FCI, not critical to national security
Model Assessments
CMMC 2.0
76. One Year Later, Where Are We?
What Has Changed
‒ The CMMC Model
‒ CMMC Rules
‒ Our Name, Brand, and Organization
CMMC Rulemaking
Voluntary Assessments
Status of the CMMC Ecosystem
Life as a CMMC Assessor
Big Remaining Issues
‒ Cost
‒ Legal Consequences
‒ Reciprocity
‒ The Cloud
Ethics
Help is Out There
The Future 76
Cybersecurity Maturity Model Certification (CMMC)
77. One Year Later, Where Are We?
What Has Changed
‒ The CMMC Model
‒ CMMC Rules
‒ Our Name, Brand, and Organization
CMMC Rulemaking
Voluntary Assessments
Status of the CMMC Ecosystem
Life as a CMMC Assessor
Big Remaining Issues
‒ Cost
‒ Legal Consequences
‒ Reciprocity
‒ The Cloud
Ethics
Help is Out There
The Future 77
Cybersecurity Maturity Model Certification (CMMC)
78. One Year Later, Where Are We?
What Has Changed
‒ The CMMC Model
‒ CMMC Rules
‒ Our Name, Brand, and Organization
CMMC Rulemaking
Voluntary Assessments
Status of the CMMC Ecosystem
Life as a CMMC Assessor
Big Remaining Issues
‒ Cost
‒ Legal Consequences
‒ Reciprocity
‒ The Cloud
Ethics
Help is Out There
The Future 78
Cybersecurity Maturity Model Certification (CMMC)
79. One Year Later, Where Are We?
What Has Changed
‒ The CMMC Model
‒ CMMC Rules
‒ Our Name, Brand, and Organization
CMMC Rulemaking
Voluntary Assessments
Status of the CMMC Ecosystem
Life as a CMMC Assessor
Big Remaining Issues
‒ Cost
‒ Legal Consequences
‒ Reciprocity
‒ The Cloud
Ethics
Help is Out There
The Future 79
Cybersecurity Maturity Model Certification (CMMC)
80. One Year Later, Where Are We?
What Has Changed
‒ The CMMC Model
‒ CMMC Rules
‒ Our Name, Brand, and Organization
CMMC Rulemaking
Voluntary Assessments
Status of the CMMC Ecosystem
Life as a CMMC Assessor
Big Remaining Issues
‒ Cost
‒ Legal Consequences
‒ Reciprocity
‒ The Cloud
Ethics
Help is Out There
The Future 80
Cybersecurity Maturity Model Certification (CMMC)
81. One Year Later, Where Are We?
What Has Changed
‒ The CMMC Model
‒ CMMC Rules
‒ Our Name, Brand, and Organization
CMMC Rulemaking
Voluntary Assessments
Status of the CMMC Ecosystem
Life as a CMMC Assessor
Big Remaining Issues
‒ Cost
‒ Legal Consequences
‒ Reciprocity
‒ The Cloud
Ethics
Help is Out There
The Future 81
Cybersecurity Maturity Model Certification (CMMC)
82. One Year Later, Where Are We?
What Has Changed
‒ The CMMC Model
‒ CMMC Rules
‒ Our Name, Brand, and Organization
CMMC Rulemaking
Voluntary Assessments
Status of the CMMC Ecosystem
Life as a CMMC Assessor
Big Remaining Issues
‒ Cost
‒ Legal Consequences
‒ Reciprocity
‒ The Cloud
Ethics
Help is Out There
The Future 82
Cybersecurity Maturity Model Certification (CMMC)
83. One Year Later, Where Are We?
What Has Changed
‒ The CMMC Model
‒ CMMC Rules
‒ Our Name, Brand, and Organization
CMMC Rulemaking
Voluntary Assessments
Status of the CMMC Ecosystem
Life as a CMMC Assessor
Big Remaining Issues
‒ Cost
‒ Legal Consequences
‒ Reciprocity
‒ The Cloud
Ethics
Help is Out There
The Future 83
Cybersecurity Maturity Model Certification (CMMC)
84. One Year Later, Where Are We?
What Has Changed
‒ The CMMC Model
‒ CMMC Rules
‒ Our Name, Brand, and Organization
CMMC Rulemaking
Voluntary Assessments
Status of the CMMC Ecosystem
Life as a CMMC Assessor
Big Remaining Issues
‒ Cost
‒ Legal Consequences
‒ Reciprocity
‒ The Cloud
Ethics
Help is Out There
The Future 84
Cybersecurity Maturity Model Certification (CMMC)
86. Loren Wagner
Director of Risk
lwagner@centracomm.net
Loren is actively engaged in helping organizations become more secure and compliant by
performing risk assessments and advisory services based on the NIST Cybersecurity
Framework, NIST SP 800-171, and the DoD’s Cybersecurity Maturity Model Certification
(CMMC) program. Loren is a designated CMMC-AB Registered Practitioner.
Prior to joining CentraComm, Loren held global senior management positions for a major
manufacturer in information security, networking, and data center operations. Loren is a
respected expert in his field and has presented papers and provided dozens of
presentations to organizations regarding risk mitigation, cybersecurity & information
technology. Loren has a Doctorate in Information Assurance from the University of Fairfax,
an MBA from The University of Findlay and a Certificate in Security Management from the
National Defense University. A part-time lecturer at the University of Findlay for more than
20 years, he played a major role in the development of their Information Assurance
Program. Loren is a veteran of the U.S. Air Force.
87. Discussion Topics
Threat Overview
Who Are The Targets?
The Statistics
Cybersecurity Take-Aways & Action Steps
8 Critical Factors To Protect Your Business
Framework Adoption
The Legal Aspect
Wrap Up
88. The Daily Barrage
Practically every day, we see news
articles or receive alerts relating to
another organization falling victim
to a ransomware attack or this
season’s scam.
Uber
Lee County Emergency
Medical Services
New Hampshire Lottery
Twitter
Molson Coors
Marriott
California DMV
Michigan State University
89. The Totality of Loses
https://www.ic3.gov/Media/PDF/AnnualReport/2021_IC3Report.pdf
FBI’s Internet Crime Complaint Center (IC3)
92. What Business You Are In Doesn’t Matter!
“I’ve seen hairdressers, tire shops, paving places…they don’t think
they’re going to be the victim, but anyone can be the victim of a
cyber crime.”
SAMANTHA BALTZERSEN, SUPERVISORY SPECIAL AGENT, FBI CYBER SQUAD
93. Do you know…
Businesses lost around $8,500 per
hour due to ransomware-induced
downtime. - Govtech
Most affected clients actually
experienced 3 to 14 days of
downtime. – NinjaRMM
According to RSA Security, the
future of this growing threat will
include not just a lockdown on
integral files and folders, but access
to networks and accounts. - RSA Security
94. Key Statistics
43% of all data breaches involve small and medium-sized businesses
43% of SMBs do not have any cybersecurity plan in place
61% of all SMBs have reported at least one cyber attack during the previous
year
83% of small and medium-sized businesses are not financially prepared to
recover from a cyber attack
91% of small businesses haven’t purchased cyber liability insurance
One in five small companies does not use endpoint security
https://www.forbes.com/sites/chuckbrooks/2022/01/21/cybersecurity-in-2022--a-fresh-look-at-some-very-alarming-stats/?sh=5fdd99d56b61
95. Top 10 States Reporting
https://www.ic3.gov/Media/PDF/AnnualReport/2021_IC3Report.pdf
What Can a
Small Busines
Do To Prevent
Becoming One
of These
Statistics?
96. What If This Were To Happen To My Company?
Am I completely helpless
and unable to defend
against these business-
impacting events?
If there are steps to avoid
becoming a victim, what are
they?
97. The Answer: Practice Cybersecurity Hygiene
Almost all successful
attacks take advantage of
conditions that could
reasonably be described
as “poor cyber hygiene.”
*Tony Sager is a Senior Vice President and Chief Evangelist for CIS (The Center for Internet Security). In this role, he leads the development of the CIS
Controls, a worldwide consensus project to find and support technical best practices in cybersecurity, August 2020.
98. Cybersecurity Hygiene
“Relatively simple, well-defined
actions:
Patching Known Vulnerabilities
Management of Privileges
Proper Configuration
Management
can provide significant value - but
not a complete cure - for many cyber
health problems.” – T Sager, August 2020
99. How Do I Understand My Vulnerabilities?
Effective Cyber Hygiene is all about Risk Management
A Vulnerability Assessment can start you down the right
path
102. #2 - Patching Considerations of Known Vulnerabilities
Operating Systems:
Microsoft Windows
Apple OS
Applications:
Adobe Products
Browsers
ITunes
Java
Microsoft Office Products
Older, unused products
103. #3- Management of Privileges: Proper Credentials
Follow the concept of “least privilege”.
Do not use Privileged or
Administrative Accounts if not
needed for the task
Removing admin rights could have
mitigated 75% of critical vulnerabilities
according to Microsoft 2022
vulnerabilities report
PC & Laptop accounts often are
created with Admin Privilege –
remove this access
Such access is particularly
dangerous when surfing the web
104. #4- Proper Configuration Management
Often PCs, Laptops, & Servers
are run with installations out of
the box:
Remove default accounts
that are not needed
Change default passwords
Use Windows Firewall
Use Windows A/V
105. #5 - Backup & Recovery: Backup Important Data
Backup devices regularly
Maintain offline copies
Make sure you can recover
files from backups
106. #6 – Build Awareness
Recognizing the Human Factor
“We all need to be a part of this fight
against the cyber attackers. We all
matter. One person in a company can
be the determining factor whether or
not that company’s cyber defenses are
going to work or fail.”
SAMANTHA BALTZERSEN, SUPERVISORY SPECIAL AGENT, FBI
CYBER SQUAD
107. #7 - Incident Management
Incident Response
Run tabletop exercises
Repeat process on a regular
basis
108. #8 – Multi-Factor Authentication (MFA)
Remote Accounts
Admin Accounts
Sensitive Data Access
A must have for Cyber
Insurance
111. Legal Factors
Data Protection Act
Ohio Senate Bill 0220
Intended to provide businesses with an
incentive, a safe harbor, by maintaining a
cybersecurity program that substantially
complies with one of eight industry
recommended frameworks
https://www.legislature.ohio.gov/legislation/legislation-summary?id=GA132-SB-220
112. Legal Factors
Security Breach
Security Breach Notification Act (ORC 1349.19)
Consumers must be notified of any security
breach to stored personal information that
may reasonably cause a material risk of
identity theft or other fraud
Consumers must be notified in the quickest
way possible, but not later than 45 days after
the breach is discovered.
https://www.ohioattorneygeneral.gov/Business/Services-for-Business/Business-Guide/Personal-Information-
for-Consumers#:~:text=Do%20consumers%20need%20to%20be,identity%20theft%20or%20other%20fraud
113. Preparation Is Key
Execute Plans For Maintaining Cyber Hygiene
Consider MSP Services
Implement Multi-Factor Authentication
Have Backups and Test Your Backups Regularly
Know How Long It Will Take To Recover
Consider Cyber Insurance
Strongly Recommend A Vulnerability Assessment
“It is not a matter of if you are attacked, it is a matter of when.” Be Prepared!
114. CentraComm Overview
Founded in 2001, CentraComm is an IT cybersecurity, network
infrastructure, and compliance provider that operates as an extension of
your IT department:
Provides IT risk, managed, and professional services supporting
customer’s business goals and strategic business technology initiatives
Has around-the-clock engineering team and value-added services that
deliver peace of mind for customers
Utilizes top technology supported by industry-certified, top-level talent
Has two Data Centers supporting Co-Location, Disaster Recovery, etc.
Supports Fortune 50, educational institutions, and small to medium-sized
businesses allowing them to innovate efficiently, be compliant, and
remain secure
121. U/FOUO//LES
Knowledge is Power
“In a time of turbulence and change, it is more true than
ever that knowledge is power.”
-John F. Kennedy
121
Business Email Compromise is driven by
the interception, and subsequent
weaponization of contemporaneous and
privileged information
122. U/FOUO//LES
Threat Vector - Everyone
122
Everyone
Business Email Compromise can affect the largest global
corporations all the way down to the individual consumer
123. U/FOUO//LES
Evolution of BEC
123
BEC is an amalgam of several
fraud schemes that have evolved
into one overarching scheme
Using malware,
privileged
information is
uncovered and
exploited through
various legacy
phishing schemes
Phishing
More elaborate fraud
schemes are
developed that target
high level and C-Suite
employees
Whaling
Sensitive/proprietary
business information
allows fraudsters to
impersonate c-suite
and supervisory
employees
CEO
Imperson
ation
124. U/FOUO//LES
Threat Vectors
124
Duality of Scheme Creates
Multiple Vectors of Vulnerability
BEC is focused on Business side
exploitation
The IT system of a business is
infiltrated, and privileged emails
can be accessed, diverted, and
read by bad actors
EAC is focused on personal email
intrusion
A personal email account (e.g.
gmail, yahoo, hotmail, etc) is
infiltrated by bad actors
Often the financial victim has not been
compromised
125. U/FOUO//LES
Enterprise Business Model
125
Operate as businesses – Top to bottom model
Department Description
C-Suite Sets design and targets businesses – Eastern Europe, West Africa
IT Wing Carries out hacking, malware, email monitoring – Global
HR/Recruitment Recruits IT wing, financial actors – Eastern Europe, West Africa
Finance/Banking Sets process for wire transfers and Money Laundering – Global, Local
Enforcers Ensures financial cooperation and following of orders – Global
Admins Maintain shell companies and legitimate business liaisons – Local
Burn party After successful schemes, enterprise burns all materials – Global
127. U/FOUO//LES
Operational Tactic – Email Rules
127
Once the criminal actors gain access to email accounts, the most
common form of surveillance is to set up email rules in the
account settings to auto-forward, then delete the auto-
forwarded emails to avoid detection.
Other than the email rule, no evidence of the surveillance is
visible. This allows the actor to remotely monitor the account
even if the password is changed
If the password or access method remains the same, the criminal
actor will manipulate the victim's inbox to prevent detection or
to further facilitate the fraudulent transactions
128. U/FOUO//LES
Attack Tactics
Addition @gmail.com, @yahoo.com, @yahoo.fr
Realemail.realdomain@gmail.com
Display Name masking & google dot matrix
Email Service providers allow a display name to replace actual email address
secret.service@gmail.com reverts back to secretservice@gmail.com
Spoofed email addresses
mike@email.com vs. rnike@email.com
Lincoln@email.com vs. Iincoln@email.com
Changed/Spoofed domain names
www.secureworld.com vs www.securevvorld.com
Full email account take over and VPN Access
128
134. U/FOUO//LES
Emerging Trends
134
Rise in use of cryptocurrency as means to launder funds – direct/second
hop/third hop
Exploitation factor increase
“Pig Butchering”
Continued use of Ancillary Fraud Schemes
Increasingly sophisticated phishing sites being used to harvest credentials
Consent-based Phishing/Malicious App use
Deepfakes/AI/Machine Learning arrive in cyber fraud world
Phishing as a service – Phishing kit usage expanding – Non-Technical Actors
Industry and target indiscriminate
Geographic and threat actor expansion
135. U/FOUO//LES
Key Takeaways
135
Monitor email environment for unauthorized email
rules
Have a practiced incident response plan
https://www.secretservice.gov/investigation/Preparing-
for-a-Cyber-Incident
Public/Private Partnerships are instrumental
Information Sharing is Key – REPORT
Contact USSS
https://www.secretservice.gov/contact/field-offices
USSS Cleveland: 216-750-2058
Notes de l'éditeur
BEC is driven by the interception of contemporaneous and privileged information obtained by threat actors by
compromising email accounts, and then weaponizing that information
> BEC Actors are threat indiscriminate and opportunistic, they will target any industry or business sector where
financial transactions are being made
> Everyone is vulnerable to BEC attacks, largest global corporations and governments, medium/small businesses, and
individual consumers
BEC accounts for the largest portion of loss from cyber-enabled financial fraud schemes, estimated losses exceed $40 Billion in the past 7 years, $2.1 Billion reported to IC3.gov in 2021
> BEC actors incorporate other cyber-enabled fraud schemes into their attacks such as other phishing scams, romance scams, tech scams, work from home scams, elder abuse scams, etc. to enhance and further their BEC fraud schemes
Bottom line is- BEC attacks are cyber-attacks using stolen information via email to trick a victim into transferring funds to an unauthorized financial account controlled by a criminal actor
BEC threat actors operate as businesses in an Enterprise Business Model fashion
> Various means are used to compromise email accounts
- Phishing attacks both broad and targeted to deploy malware to steal login credentials
- Credential harvesting from dark web scrapes and login credentials from prior data breaches
- Social Engineering used to gain access to email accounts
> Once accounts are compromised generally, email rules/auto-forward settings are established to forward out emails
to another email account to surreptitiously monitor the compromised email account
> A popular tactic is to create a spoofed look-a-like domain emulating a party in the transaction
> Use of spoofed and/or manipulated personal email accounts is a popular tactic e.g. gmail, yahoo, Hotmail, etc
> Use of display name settings are used to mask actual email address used in the BEC attack email to display the name of a participant in the transaction
Once accounts are compromised generally, email rules/auto-forward settings are established to forward out emails
to another email account to surreptitiously monitor the compromised email account
Highlight the urgency and unavailability
> Various methods are used to launder BEC funds: Unwitting mules (romance scams), witting mules via shell companies, structured cash withdrawals, purchase of luxury goods, money transmitters, cashier’s checks, etc.
Use of Digital Currency (crypto) is an emerging trend to move and launder BEC derived funds
Pig Butchering = combo of romance scam & crypto currency investment account. Victim sends crypto, Threat Actor deposits additional crypto to simulate investment gain, entices victim to deposit even more, TA eventually drains account
> USSS takes a multi-faceted and multi-layered approach to combatting BEC; global and local efforts to disrupt,
dismantle, and prosecute BEC groups and threat actors through our CFTFs around the world and GIOC
> USSS combats BEC by investigating financial flows, stopping outgoing wires, mapping BEC actor networks, cyber
analysis exploitation, and by providing intelligence, education and awareness on the issue