This document discusses evolving cyber threats and how adversaries target organizations. It notes that criminals shift tactics to hit attractive soft targets, exploiting technical flaws and user interactions. One group discussed, called TheDarkOverlord, uses extortion by threatening to publish stolen data if ransom is not paid. The document stresses the importance of understanding adversaries' goals and capabilities in order to minimize risks and reduce vulnerabilities.

1. Know Your Adversary:
Analyzing the Human Element
in Evolving Cyber Threats

2. Today’s Speakers
Adam Meyer
Chief Security Strategist
SurfWatch Labs
2
Kristi Horton
Cybersecurity Analyst
Gate 15 & Real Estate ISAC

3. 3
Tech Advances & User Demands
Creating a Cyber Crisis
VS.
Cyber Constraints
• Small cyber team & budget
• Limited understanding
• Culture problem
User Demands
• Speed to Market
• Consumer Adoption
• Ease of Use

4. 4
Your Digital Footprint Provides a Lot
of Opportunity for Adversaries

5. 5
The Threat Balloon
Cybercriminals
shift their tactics to hit
targets that are:
“Attractive” and “Soft”
This is a blind spot
in your risk program

6. 6
Criminals Play Copycat,
Slowly Shift Tactics
• When it comes to TTPs, malicious actors are not looking to reinvent the wheel
• The minutia of how they go about reaching their goals may change slightly year
to year, but major shifts in approach tend to be adopted slowly
• The major shifts that have occurred in recent years and appear to gaining more
traction in 2017 largely fall into three buckets:
- An increase in extortion-related attacks that can generate profits directly
from victims
- A shift towards phishing campaigns and data breaches that target those
higher up the food chain and provide larger returns
- The growth of cybercrime-as-a-service options and crimeware trade
among malicious actors

7. 7
Nation State:
• Typically leverage cyber capabilities to engage
in long term campaigns focusing on economic,
industrial, and government espionage; while
criminals are focused on monetary gain
Criminal:
• Cyber crime is a business - with a
very high return taking little effort
• Criminals target businesses that are
custodians of a commodity that can be
monetized:
- Identity information (Employee & Consumer)
- Financial Information (Payment, Banking, Gift
Card, Coupons, Entertainment accounts etc.)
Know Your Adversary

8. 8
• Criminals will target any business that
provides an avenue of approach to
high value entities
- Defense/Law Enforcement
- Does your organizational business model
provide products or services to the
Defense or Law Enforcement Industry?
- Critical Infrastructure
- Is you organization a part of a critical
infrastructure sector or supports a critical
infrastructure sector?
- Supply Chain
- Are you apart of the supply chain for an
organization that could potentially be a
high value target?
Know Your Adversary

9. 9
Completing Your
Cyber Risk Picture
Goals
Strategy
Tactics
Techniques
Procedures
Tools
What they
want
(INTENT)
How they
will get itCAPABILITY
Design
Implementation
Technical Flaws
User Interaction
Vulnerabilities
Present Due to:
Host & Network
Artifacts
Atomic Indicators
Evidence of
Presence

10. 10
Goals
Strategy
Tactics
Techniques
Procedures
Tools
Host & Network
Artifacts
Atomic Indicators
What they
want
(INTENT)
How they
will get itCAPABILITY
Evidence of
Presence
Design
Implementation
Technical Flaws
User Interaction
Vulnerabilities
Present Due to:
What You DO Control
What You DO NOT Control
Completing Your
Cyber Risk Picture

11. 11
Extortion Attacks Increase,
Along With Ransom Demands
• More targets than ever: The percentage of
extortion-related activity observed in 2017 has
more than doubled from 2015 and increased by
more than 40% when compared to 2016 levels.
• Higher ransom demands: In early 2016,
Hollywood Presbyterian Medical Center made
headlines for paying a $17,000 ransom. A similar
ransomware infection at Erie County Medical
Center in April 2017 demanded approximately
$44,000 in bitcoin.
• Double-dipping extortion: TheDarkOverlord was able to compromise an old computer
running Windows 7 at audio post-production company Larson Studios in December
2016 and stole dozens of unaired episodes belonging to Netflix, ABC, CBS, Disney, and
other studios. Larson Studios paid the group $50,000 in blackmail; nevertheless,
TheDarkOverlord attempted to extort the company’s clients over the same theft for
even more money.

12. TheDarkOverlord’s Use of Extortion
Exploits Organizations
with an Unhealthy
“Level of Presence”
• Similar to ransomware, but
instead of encrypting data the
adversary threatens to publish
the data
• TheDarkOverlord has used
social media to publicly
threaten organizations
12

13. Profiling TheDarkOverlord
Associated Twitter Handle(s): @tdohack3r (currently removed)
Gender: Unknown
Nationality: Unconfirmed but believed to be U.K
Overview:
• TheDarkOverlord is very careful about exposing information that could relate to their identity. This actor is smart and
calculated, but also has become bolder and more arrogant as evidenced in communication with recent victims.
Communication with TheDarkOverlord has shown that there is more than one member.
• Originally focused on health organizations, but has shown more recent attention towards entertainment companies.
13

14. 14
Profiling TheDarkOverlord
Actor Tactics
• Favors exploits that allow remote desktop control of a
network; has also taken data acquired by other actors and
exploited the clients found in these breached databases
• By garnering media attention they build their reputation and
apply pressure to the organizations they wish to extort
- There have been a few reports that the actor first
contacts his exploited entity and demands a ransom
- If an entity refuses, the database is listed on
TheRealDeal Marketplace and the media is alerted
• More recent activity has shown a slight shift in tactics
- Actor sends the victim, along with particular media
figures who request it, a sample of the breached data
- By involving security reporters and bloggers,
TheDarkOverlord lends credibility to their work while
causing panic in consumers who might be associated
with the breach

15. 15
Profiling TheDarkOverlord
The tone used by the group — both dismay that the “business” arrangement
didn’t work out and a veiled threat to future victims — has become more
prominent since TheDarkOverlord first began targeting healthcare organizations
in June 2016.

16. 16
TheDarkOverlord - Takeaways
• TheDarkOverlord represents the type of actors organizations may have to deal with in
the future – It is imperative that risk planners acknowledge this risk and plan for it
• It is important to identify cyber risk areas that are not just the traditional IT threats
• Plan and Prepare for threat scenarios! It is apparent in some instances that an
unprepared response can cause more harm then the actual impacted data itself.
Example – It was reported that Larson Studios paid TDO, 50 BC (~ $150-175k)
in return for keeping it quiet and not notifying their customers i.e. Netflix.
However, TDO reneged on the deal and released Orange is the New Black:
“We’re a professional outfit. Unfortunately, in any line of business, sometimes clients can become
disruptive to their own good. In this case, Larson Studios blatantly violated the terms of our agreement
by extensively cooperating with law enforcement. Our reaction was a direct result of the disregard
Larson Studios had for our contract.”

17. Cyber Risk
Self-Check Questionnaire
17
• What types of threats exist in my industry?
• What types of threats are occurring in my industry?
• How often do they occur?
• Are the threats changing over time?
• What threats affect my partners, suppliers or competitors?
• Who and Why would they attack us?
• Do our controls mitigate that vulnerability, are we applying the right resources
to the right controls?
• How would control failures impact the business?
• Are there different threats to different lines of business?
• How could these threats affect my supply chain?

18. 18
Conclusions and Courses of
Action to Minimize Your Risk
Your Threat Landscape Reality
• Greater digital risk footprint due to interconnectedness
• Malicious actors follow the money and there is money
to be made with ransomware and extortion campaigns
• One breach begets another - A major breach is rarely
isolated, and info stolen/leaked from one organization
can be leveraged to attack other organizations
Get Back to Cyber Security Basics
• Remove the Opportunity – minimize vulnerabilities and
your level of presence to reduce paths for attack
• Minimize your “technical debt”

19. Q&A and Additional
SurfWatch Labs Resources
19
SurfWatch Cyber Advisor:
www.surfwatchlabs.com/cyber-advisor
SurfWatch Threat Analyst:
www.surfwatchlabs.com/threat-intel
Dark Web Intelligence:
www.surfwatchlabs.com/dark-web-intelligence
Personalized SurfWatch Demo:
info.surfwatchlabs.com/request-demo
Strategic and Operational Threat Intelligence