ESTABLISHING STRATEGIC LEVEL ANALYSIS Cameron Brown
ESTABLISHING STRATEGIC LEVEL ANALYSIS
Cameron Brown
CAMERON BROWN – Establishing strategic level analysis@AnalyticalCyber
The views and opinions expressed in this presentationare solely those of the presenter and do not representany official policy or position of past or presentemployers of the presenter.
The material in the following slides is for informational purposes onlyand should in no way be construed as advice of any kind.
Disclaimer
CAMERON BROWN – Establishing strategic level analysis@AnalyticalCyber
Cyber Crime Defence Advisor
Information Security Strategist
International Legal Practitioner
Published Author
Cameron Brown
MIntSecSt, MPICT
LL.B, B.A (Behavioural Science)
Grad.Cert (Computer Crime Investigation)
Cyber Related Industry Experience
Legal Practice: Australian Attorney
Policing: State and Federal Law Enforcement
United Nations: Office on Drugs and Crime
Transparency International: Anti-Corruption
Academic Institutions: Australian National
University, Oxford, Max Planck, Korean
Institute of Criminology
Ernst and Young
• Information Security: Forensic Investigator,
Incident Responder, Trusted Advisor
• Risk Advisory: Strategic Cybersecurity
Introduction
CAMERON BROWN – Establishing strategic level analysis@AnalyticalCyber
75Billion
By 2020
Source: Cisco
Connected IoT Devices
Smart Phones
1.9Billion
By 2020
Source: IDC
Internet Population
4Billion
By 2020
Source: ITU/UNESCO
44ZettaBytes
By 2020
Source: IDC
Data Universe
Digital transformation and managing complexity
CAMERON BROWN – Establishing strategic level analysis@AnalyticalCyber
Threat intelligence and Incident Response
Market for cyber insurance
Cloud security opening new growth avenues
Increasing security needs across critical infrastructure, and utilities
Insider threats
Criminal activity within the Deep Web
Pervasiveness of online and digital data
Exponential growth of social media and business disruptors
Increasing severity of evolving threats to cyber security Tougher government regulations and penalties
Market Drivers
Market drivers for as robust strategic approach to cybersecurity
CAMERON BROWN – Establishing strategic level analysis@AnalyticalCyber
Unsophisticated attackers
(script kiddies)
You are attacked because you are on the internet and have a vulnerability – you represent a challenge
Sophisticated attackers
(hackers)
You are attacked because you are on the internet and have information of value – or they have a reason for disrupting your business
Corporate espionage
(malicious insiders)
Your current or former employee seeks financial gain from stealing/selling your IP – or they want to cause disruption for other reasons
State sponsored attacks
Advanced Persistent Threat (APT)
You are targeted because of who you are, what you do, or the value of your intellectual property
Ris
k
Attacker resources and sophistication
Revenge
Personal gain
Stock price
manipulation
Organised crime
(criminal networks)
You are attacked because you have information of value – for them to sell, to use as blackmail or hold to ransom
scri
pt
kid
die
sh
acke
rs
mal
icio
us
insi
der
scr
imin
aln
etw
ork
sA
PT
Amusement/
Experimentation/
Nuisance/
Notoriety
State sponsored espionage
Market manipulation
Competitive advantage
Military/political objectives
Any information of
potential value to sell
or use for extortion/
ransom:
Cash
Credit cards
Identities
Inside information
IP
Manipulation of
systems
Industrial espionage
and competitive
advantageMoney
Embarrassment
Political/social/
environmental causes
2016
► BrainBoot/Morris Worm
► Polymorphic viruses
► Michelangelo
1980s/1990s
► Anna Kournikova
► Sircam
► Code Red and Nimda
► Zeus
► Koobface
► Conficker
► Aurora
► Poison Ivy
► agent.btz
► Stuxnet
► WikiLeaks
► Anonymous
► MyDoom
► NetSky
► Sasser
► Concept Macro Virus
► Melissa
► ‘I Love You’
► SQL Slammer
► Blaster
► Fizzer
► SpyEye
► Flame
► CryptoLocker
Most companies have adequate cybersecurity controls in place to stop these threats……
….But the reality is these types of attacks are now more and more frequent and companies are not equipped to cope
Evolving threat landscape
Source: EY
CAMERON BROWN – Establishing strategic level analysis@AnalyticalCyber
Threat actors, intelligence and motivation
CAMERON BROWN – Establishing strategic level analysis@AnalyticalCyber
Source: Kaspersky
Highly organised and persistent
► Support for operations run by cyber-criminals has evolved into a global enterprise encompassing managed software deployments and scheduled updates, roadmaps for platform development, and even helpdesks to service needs of clients and users
► Innovative and agile illicit businesses harnessing expertise of specialists across various domains of online criminality.
CAMERON BROWN – Establishing strategic level analysis@AnalyticalCyber
Source: Check Point
Dark clouds and Malware-as-a-Service
► The Nuclear operation accumulated revenue of $100,000 a month
► Attackers renting Nuclear servers to view and manage a malware campaign
► ‘Customers’ able to disseminate any malware via the console, but not permitted to target endpoints in Azerbaijan, Armenia, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Uzbekistan and Ukraine (Eastern Partnership)
► Developer may have resided within one of these jurisdictions and keen to avoid extradition
CAMERON BROWN – Establishing strategic level analysis@AnalyticalCyber
► Just as threat perpetrator motivations and capabilities vary from group to group, so does OPSEC tradecraft
► Different actors have different requirements for privacy and anonymity
► Example: cyber crime forum operators must balance need to stay off the radar of law enforcement with need to sell and market their products
OPSEC and online criminality
CAMERON BROWN – Establishing strategic level analysis@AnalyticalCyber
Disrupt
Contain
Minimise
Redefining OPSEC for participants in the underground economy
CAMERON BROWN – Establishing strategic level analysis@AnalyticalCyber
► Participants in the underground economy are mindful of the threat posed by law enforcement and intelligence agencies
► Transnational criminal enterprises actively track developments in the media and academia, and pay off insiders to gain visibility into the activities of policing organisations
► As quick adopters, technological developments make criminal enterprises more agile and effective in meeting their operational security objectives which are focussed on anonymity, disinformation, disruption, secrecy, and containing exposure
► Yet, cybercriminals still face the conundrum of establishing trusted relationships among criminal co-conspirators
► The human factor is the weakest link for security in both the legitimate and underground economy
Threats, monitoring, early adopters, trust and the human factor
CAMERON BROWN – Establishing strategic level analysis@AnalyticalCyber
Uncovering
zero-day
vulnerabilities
Credential harvesting and target profiling
Developing
botnets and
malware
Scanning
systems for
items of value
to sell or exploit
Exploring
new
technologies
to leverage
and exploit
Following
media, blogs
and forums to
harvest open
intelligence
and react to
activities of
LEA
Research, development, and refining modus operandi
CAMERON BROWN – Establishing strategic level analysis@AnalyticalCyber
Source: Digital Shadows
Bulletproof hosting
CAMERON BROWN – Establishing strategic level analysis@AnalyticalCyber
Source: Digital Shadows
Avoiding detection and obfuscation
CAMERON BROWN – Establishing strategic level analysis@AnalyticalCyber
Source: Digital Shadows
Mentoring among cybercriminals
CAMERON BROWN – Establishing strategic level analysis@AnalyticalCyber
Use of codes / aliases for communication
Dead dropping
Cryptography
Steganography
Compromised intermediaries
Spoofing
Hiding in safe jurisdictions
Anonymity networks and proxy services
5
3
1
2
4
6
7
8
► “The idea is similar to using a twisty, hard-to-follow route in order to throw off somebody who is tailing you - and then periodically erasing your footprints” (Tor)
Evasive techniques employed by miscreants
CAMERON BROWN – Establishing strategic level analysis@AnalyticalCyber
Ransomware evolving
Source: Symantec
CAMERON BROWN – Establishing strategic level analysis@AnalyticalCyber
► Malware is already becoming more situationally aware so as to avoid detection and resist static analysis by security researchers
► Nefarious code will evolve from the reactive polymorphic modes of today to a more proactive mission orientated design
► Like trained dogs sniffing for drugs at airports or concealed explosive devices in warzones, it is conceivable that cognitive computing will be used by criminals to autonomously hunt and capture valuable information from business networks and applications
► 16% of malware can recognise and exploit a virtual machine environment - vulnerabilities such as VENOM could allow attackers to escape a compromised virtual machine and attack others on the same system, or even attack the host hypervisor
Malware becoming more situationally aware
Source: Symantec
CAMERON BROWN – Establishing strategic level analysis@AnalyticalCyber
Source: Symantec
NEWER NASTY VARIANTS
STAMPADO
ENCRYPTING
THE ENCRYPTED
JIGSAW
COUNT DOWN
PUNITIVE DELETION
PHILADELPHIA
COUNT DOWN
RUSSIAN ROULETTE
► Miscreants are moving at a much faster pace than security countermeasures
► We can expect more targeted and destructive attacks, but also ransom demands that vary based on the attacker’s estimation of the value of the data being held hostage and/or the ability of the victim to pay some approximation of what it might be worth
► Increasingly attacks will target data intensive organisations like medical practices and law and architectural firms
Crypto-ransomware
CAMERON BROWN – Establishing strategic level analysis@AnalyticalCyber
Source: Bleeping Computer
Forcing capitulation
CAMERON BROWN – Establishing strategic level analysis@AnalyticalCyber
Source: Bleeping Computer
Forcing capitulation
CAMERON BROWN – Establishing strategic level analysis@AnalyticalCyber
Digital idealism
CAMERON BROWN – Establishing strategic level analysis@AnalyticalCyber
Digital realism
CAMERON BROWN – Establishing strategic level analysis@AnalyticalCyber
► Collaboration and information sharing
► Regional outposts as a visibility and compliance challenge
► Third-party vulnerabilities
► Understanding the shifting geopolitical landscape and impact on worker demography
► Preparing for crisis management (security fire drills)
► Seeking to do more with less via automation, correlation, and threat telemetry without due consideration around ‘care and feeding’ needed to drive these systems
► Organisations still seeing security as an IT issue
Security pain points for enterprises
CAMERON BROWN – Establishing strategic level analysis@AnalyticalCyber
► Misaligned reporting and governance structures can quickly lead to dangerous blind spots
► Many organisations have a lack of clarity around security roles and accountabilities
► Where silos exist and there is a disconnect between operational teams and middle management, an impasse occurs
► Functions inside an enterprise can quickly go dark and become starved of resources
► Effective communication channels between leadership and hands-on technical roles are integral to inform decision making, and the budget allocation
► Critically, the C-Suite needs to be aware of where valuable information is disbursed across their enterprise and how a compromise of that information will impact profitability, branding, and reputation
Silos
CAMERON BROWN – Establishing strategic level analysis@AnalyticalCyber
► Organic and inorganic business growth changes the attack surface and risk profile for an organisation
► As information systems converge and disparate networks are linked together, new security vulnerabilities emerge
► Architects of secure environments carefully tailor their systems to meet challenges within a specific context
► When the context shifts, so too will the stressors that impact these systems
► For continuous security improvement to occur, change management must be a key part of enterprise growth and contraction
Growth and change management
CAMERON BROWN – Establishing strategic level analysis@AnalyticalCyber
► For organisations that forward deploy their technology and human assets into the businesses of their clients, these unfamiliar environments will present new dangers
► This may be caused by differences in the way a business treats physical security or cultural peculiarities impacting the behaviour of the workforce in terms of how data is handled
► It's useful to consider this as analogous to taking an animal out of one habitat and placing it into another
► Changes in climate and terrain impact the ecosystems and ultimately alter the natural order of things
► Predators can quickly become prey
Forward deployment
CAMERON BROWN – Establishing strategic level analysis@AnalyticalCyber
1
2
3
4
Negative Social Media
Debilitating
operational pressure
Staff lockout from
system
Forensic investigation
and remediation costs
5Negative local and
international press
6Customer
notification costs
7Costs for contractual
breach, litigation, and
fines from regulators
8Loss of customers
and loss of sales
9 Loss of jobs and
business failure
Breach tree
CAMERON BROWN – Establishing strategic level analysis@AnalyticalCyber
1. Notice the worry
NO YES
3. Ask: Can I do something about it?
Let worry go Action plan
Change focus of attention
What? When? How?
NOW LATER
Do it!
Let worry go
Change focus of attention
Let worry go
Change focus of attention
Schedule it
Source: Adapted from Butler and Hope 2007
2. Ask: What am I worrying about?
Worry tree
CAMERON BROWN – Establishing strategic level analysis@AnalyticalCyber
VFAC Review No. 12 July & August 2016
https://eng.kic.re.kr/..
Considerations for defenders (open access)
CAMERON BROWN – Establishing strategic level analysis@AnalyticalCyber
IJCCVol. 9 January – June 2015
http://www.cybercrimejournal.com/..
Considerations for incident responders (open access)
CAMERON BROWN – Establishing strategic level analysis@AnalyticalCyber
UNODC2013
https://www.unodc.org/..
Considerations for governments (open access)
CAMERON BROWN – Establishing strategic level analysis@AnalyticalCyber
United Nations - Comprehensive Study on Cybercrime
Source: UNODC
TRANSLATION LINKS
Spanish:
https://www.unodc.org/documents/organized-
crime/cybercrime/Cybercrime_Study_Spanish.pdf
Arabic:
https://www.unodc.org/documents/organized-
crime/cybercrime/Cybercrime_Study_Arabic.pdf
Chinese:
https://www.unodc.org/documents/organized-
crime/cybercrime/Cybercrime_Study_Chinese.pdf
English:
https://www.unodc.org/documents/organized-
crime/cybercrime/CYBERCRIME_STUDY_210213
French:
https://www.unodc.org/documents/organized-
crime/cybercrime/Cybercrime_Study_French.pdf
Russian:
https://www.unodc.org/documents/organized-
crime/cybercrime/Cybercrime_Study_Russian.pdf