This document discusses evolving cyber threats and how adversaries target organizations. It notes that criminals shift tactics to hit attractive soft targets, exploiting technical flaws and user interactions. One group discussed, called TheDarkOverlord, uses extortion by threatening to publish stolen data if ransom is not paid. The document stresses the importance of understanding adversaries' goals and capabilities in order to minimize risks and reduce vulnerabilities.
3. 3
Tech Advances & User Demands
Creating a Cyber Crisis
VS.
Cyber Constraints
• Small cyber team & budget
• Limited understanding
• Culture problem
User Demands
• Speed to Market
• Consumer Adoption
• Ease of Use
6. 6
Criminals Play Copycat,
Slowly Shift Tactics
• When it comes to TTPs, malicious actors are not looking to reinvent the wheel
• The minutia of how they go about reaching their goals may change slightly year
to year, but major shifts in approach tend to be adopted slowly
• The major shifts that have occurred in recent years and appear to gaining more
traction in 2017 largely fall into three buckets:
- An increase in extortion-related attacks that can generate profits directly
from victims
- A shift towards phishing campaigns and data breaches that target those
higher up the food chain and provide larger returns
- The growth of cybercrime-as-a-service options and crimeware trade
among malicious actors
7. 7
Nation State:
• Typically leverage cyber capabilities to engage
in long term campaigns focusing on economic,
industrial, and government espionage; while
criminals are focused on monetary gain
Criminal:
• Cyber crime is a business - with a
very high return taking little effort
• Criminals target businesses that are
custodians of a commodity that can be
monetized:
- Identity information (Employee & Consumer)
- Financial Information (Payment, Banking, Gift
Card, Coupons, Entertainment accounts etc.)
Know Your Adversary
8. 8
• Criminals will target any business that
provides an avenue of approach to
high value entities
- Defense/Law Enforcement
- Does your organizational business model
provide products or services to the
Defense or Law Enforcement Industry?
- Critical Infrastructure
- Is you organization a part of a critical
infrastructure sector or supports a critical
infrastructure sector?
- Supply Chain
- Are you apart of the supply chain for an
organization that could potentially be a
high value target?
Know Your Adversary
9. 9
Completing Your
Cyber Risk Picture
Goals
Strategy
Tactics
Techniques
Procedures
Tools
What they
want
(INTENT)
How they
will get itCAPABILITY
Design
Implementation
Technical Flaws
User Interaction
Vulnerabilities
Present Due to:
Host & Network
Artifacts
Atomic Indicators
Evidence of
Presence
11. 11
Extortion Attacks Increase,
Along With Ransom Demands
• More targets than ever: The percentage of
extortion-related activity observed in 2017 has
more than doubled from 2015 and increased by
more than 40% when compared to 2016 levels.
• Higher ransom demands: In early 2016,
Hollywood Presbyterian Medical Center made
headlines for paying a $17,000 ransom. A similar
ransomware infection at Erie County Medical
Center in April 2017 demanded approximately
$44,000 in bitcoin.
• Double-dipping extortion: TheDarkOverlord was able to compromise an old computer
running Windows 7 at audio post-production company Larson Studios in December
2016 and stole dozens of unaired episodes belonging to Netflix, ABC, CBS, Disney, and
other studios. Larson Studios paid the group $50,000 in blackmail; nevertheless,
TheDarkOverlord attempted to extort the company’s clients over the same theft for
even more money.
12. TheDarkOverlord’s Use of Extortion
Exploits Organizations
with an Unhealthy
“Level of Presence”
• Similar to ransomware, but
instead of encrypting data the
adversary threatens to publish
the data
• TheDarkOverlord has used
social media to publicly
threaten organizations
12
13. Profiling TheDarkOverlord
Associated Twitter Handle(s): @tdohack3r (currently removed)
Gender: Unknown
Nationality: Unconfirmed but believed to be U.K
Overview:
• TheDarkOverlord is very careful about exposing information that could relate to their identity. This actor is smart and
calculated, but also has become bolder and more arrogant as evidenced in communication with recent victims.
Communication with TheDarkOverlord has shown that there is more than one member.
• Originally focused on health organizations, but has shown more recent attention towards entertainment companies.
13
14. 14
Profiling TheDarkOverlord
Actor Tactics
• Favors exploits that allow remote desktop control of a
network; has also taken data acquired by other actors and
exploited the clients found in these breached databases
• By garnering media attention they build their reputation and
apply pressure to the organizations they wish to extort
- There have been a few reports that the actor first
contacts his exploited entity and demands a ransom
- If an entity refuses, the database is listed on
TheRealDeal Marketplace and the media is alerted
• More recent activity has shown a slight shift in tactics
- Actor sends the victim, along with particular media
figures who request it, a sample of the breached data
- By involving security reporters and bloggers,
TheDarkOverlord lends credibility to their work while
causing panic in consumers who might be associated
with the breach
15. 15
Profiling TheDarkOverlord
The tone used by the group — both dismay that the “business” arrangement
didn’t work out and a veiled threat to future victims — has become more
prominent since TheDarkOverlord first began targeting healthcare organizations
in June 2016.
16. 16
TheDarkOverlord - Takeaways
• TheDarkOverlord represents the type of actors organizations may have to deal with in
the future – It is imperative that risk planners acknowledge this risk and plan for it
• It is important to identify cyber risk areas that are not just the traditional IT threats
• Plan and Prepare for threat scenarios! It is apparent in some instances that an
unprepared response can cause more harm then the actual impacted data itself.
Example – It was reported that Larson Studios paid TDO, 50 BC (~ $150-175k)
in return for keeping it quiet and not notifying their customers i.e. Netflix.
However, TDO reneged on the deal and released Orange is the New Black:
“We’re a professional outfit. Unfortunately, in any line of business, sometimes clients can become
disruptive to their own good. In this case, Larson Studios blatantly violated the terms of our agreement
by extensively cooperating with law enforcement. Our reaction was a direct result of the disregard
Larson Studios had for our contract.”
17. Cyber Risk
Self-Check Questionnaire
17
• What types of threats exist in my industry?
• What types of threats are occurring in my industry?
• How often do they occur?
• Are the threats changing over time?
• What threats affect my partners, suppliers or competitors?
• Who and Why would they attack us?
• Do our controls mitigate that vulnerability, are we applying the right resources
to the right controls?
• How would control failures impact the business?
• Are there different threats to different lines of business?
• How could these threats affect my supply chain?
18. 18
Conclusions and Courses of
Action to Minimize Your Risk
Your Threat Landscape Reality
• Greater digital risk footprint due to interconnectedness
• Malicious actors follow the money and there is money
to be made with ransomware and extortion campaigns
• One breach begets another - A major breach is rarely
isolated, and info stolen/leaked from one organization
can be leveraged to attack other organizations
Get Back to Cyber Security Basics
• Remove the Opportunity – minimize vulnerabilities and
your level of presence to reduce paths for attack
• Minimize your “technical debt”
19. Q&A and Additional
SurfWatch Labs Resources
19
SurfWatch Cyber Advisor:
www.surfwatchlabs.com/cyber-advisor
SurfWatch Threat Analyst:
www.surfwatchlabs.com/threat-intel
Dark Web Intelligence:
www.surfwatchlabs.com/dark-web-intelligence
Personalized SurfWatch Demo:
info.surfwatchlabs.com/request-demo
Strategic and Operational Threat Intelligence
Notes de l'éditeur
1:00: Allow 2 – 3 minutes for beeps and folks to come in
1:03: A few words from Andy introducing the webinar, referencing some of the work we’ve been doing to increase awareness on these issues for RE-ISAC members and give Adam and Kristi a couple minutes each to intro themselves.
Kristi will add specific details applying this to Media and Entertainment firms:
. The most severe impacts of attacks on any organization are those that could result in harm to people or human life itself. - Charlie Hebdo, revelation of confidential sources
From a business perspective, the highest priorities for news media firms are to be the first to discover new information, have the most accurate reports, confidentiality of sources, and an ongoing reputation for reliability, trust, and timeliness. Those for entertainment providers are similar: unique content and timely release of the material. While most news production firms wish to inform the public, some entertainment groups may choose to limit content to specific audiences. Either might charge subscription fees or require sponsorships to cover the cost of content production and delivery. Audiences of either demand reliability and consistency in the delivery of content. No one want’s the news to cut out in the middle of the story or to have large blocks of static in the middle of the movie. Talk radio fans do not want to hear their favorite hosts interrupted by the “Top 20” nor do music fans wish to have their tunes interrupted by political debates. And, while threats may manifest themselves in media and entertainment, the target, or otherwise disrupted organization, may be any member of the Commercial Facilities Sector – most notably members of the Sports Leagues Subsector – if they maintain a significant media presence, whether on television or on the Internet.
For Media and Entertainment firms, the public facing presence, technology Infrastructure and Supply chain are disproportionately huge compared with other types of organizations. Physical infrastructure and IoT (ICS) risks remain high as production equipment and facility management technology evolve to enhance connectivity and integration with other systems. More personnel in these organizations have a public facing presence as well.
They will use what works until it doesn’t work anymore, then, when we’ve forgotten about it and fail to maintain defenses for those tactics, they recycle them.
China, Russia, Iran, and North Korea have all conducted operations against the Entertainment and Media subsectors. - espionage, extortion, political messaging, sabotage/disruption – UAE vs Qatar
Chinese – NYT and Bloomberg
Russia – Cyber Caliphate attacks on French media
North Korea – Sony Pictures Entertainment
Iran – DDoS
Terrorists: SEA, AnonGhost
Criminals: malvertising, Lizard Squad, ddos extortion –
mischief and activism – ddos, website defacement, signal Hijacking
Competitors: espionage, disruption, attempts to harm reputation
Environment and Circumstances act as catalysts for malicious cyber activity. Elections in many countries, Economic sanctions, New legislation or regulatory rules (or the expiration of such laws/rules), natural disasters, wars, social controversy,
Also, your geographic area, country
Extortion is about exerting power or influence. It is also used by activists, terrorists, and nation states ot influence decision making – the QCF DDoS attacks were not about money, they were to hasten sanctions relief in the form of an IAEA deal.
1:45:
Adam, continuing w/ you, some closing thoughts for the group to think about before we move into Q&A? (two minutes)
And Kristi, some additional ideas from your end? (two minutes)