Establishing_strategic_level_anaysis_Brown_-_CTI_and_IR_Conference_London_2016

ESTABLISHING STRATEGIC LEVEL ANALYSIS
Cameron Brown

CAMERON BROWN – Establishing strategic level analysis@AnalyticalCyber
cameron.brown@legalforensic.com
The views and opinions expressed in this presentation
are solely those of the presenter and do not represent
any official policy or position of past or present
employers of the presenter.
The material in the following slides is for informational purposes only
and should in no way be construed as advice of any kind.
Disclaimer

 Cyber Crime Defence Advisor
 Information Security Strategist
 International Legal Practitioner
 Published Author
Cameron Brown
MIntSecSt, MPICT
LL.B, B.A (Behavioural Science)
Grad.Cert (Computer Crime Investigation)
Cyber Related Industry Experience
Legal Practice: Australian Attorney
Policing: State and Federal Law Enforcement
United Nations: Office on Drugs and Crime
Transparency International: Anti-Corruption
Academic Institutions: Australian National
University, Oxford, Max Planck, Korean
Institute of Criminology
Ernst and Young
• Information Security: Forensic Investigator,
Incident Responder, Trusted Advisor
• Risk Advisory: Strategic Cybersecurity
Introduction

75
Billion
By 2020
Source: Cisco
Connected IoT Devices
Smart Phones
1.9
Billion
By 2020
Source: IDC
Internet Population
4
Billion
By 2020
Source: ITU/UNESCO
44
ZettaBytes
By 2020
Source: IDC
Data Universe
Digital transformation and managing complexity

Threat intelligence and Incident Response
Market for cyber insurance
Cloud security opening new growth
avenues
Increasing security needs across critical infrastructure, and
utilities
Insider threats
Criminal activity within the Deep Web
Pervasiveness of online and digital data
Exponential growth of social media and business
disruptors
Increasing severity of evolving threats to cyber security Tougher government regulations and penalties
Market Drivers
Market drivers for as robust strategic approach to cybersecurity

Unsophisticated attackers
(script kiddies)
You are attacked because you are on the
internet and have a vulnerability – you
represent a challenge
Sophisticated attackers
(hackers)
You are attacked because you are on the
internet and have information of value – or
they have a reason for disrupting your business
Corporate espionage
(malicious insiders)
Your current or former employee seeks
financial gain from stealing/selling your IP – or
they want to cause disruption for other reasons
State sponsored attacks
Advanced Persistent Threat (APT)
You are targeted because of who you are, what
you do, or the value of your intellectual
property
Risk
Attacker resources and sophistication
Revenge
Personal gain
Stock price
manipulation
Organised crime
(criminal networks)
You are attacked because you have information
of value – for them to sell, to use as blackmail
or hold to ransom
script
kiddieshackers
malicious
insiders
criminal
networks
APT
Amusement/
Experimentation/
Nuisance/
Notoriety
State sponsored espionage
Market manipulation
Competitive advantage
Military/political objectives
Any information of
potential value to sell
or use for extortion/
ransom:
Cash
Credit cards
Identities
Inside information
IP
Manipulation of
systems
Industrial espionage
and competitive
advantageMoney
Embarrassment
Political/social/
environmental causes
2016
► BrainBoot/Morris Worm
► Polymorphic viruses
► Michelangelo
1980s/1990s
► Anna Kournikova
► Sircam
► Code Red and Nimda
► Zeus
► Koobface
► Conficker
► Aurora
► Poison Ivy
► agent.btz
► Stuxnet
► WikiLeaks
► Anonymous
► MyDoom
► NetSky
► Sasser
► Concept Macro Virus
► Melissa
► ‘I Love You’
► SQL Slammer
► Blaster
► Fizzer
► SpyEye
► Flame
► CryptoLocker
Most companies have adequate cybersecurity
controls in place to stop these threats……
….But the reality is these types of attacks are now more and
more frequent and companies are not equipped to cope
Evolving threat landscape
Source: EY

Threat actors, intelligence and motivation

Source: Kaspersky
Highly organised and persistent
► Support for operations run by cyber-criminals has evolved into a global enterprise
encompassing managed software deployments and scheduled updates, roadmaps
for platform development, and even helpdesks to service needs of clients and users
► Innovative and agile illicit businesses harnessing expertise of specialists across
various domains of online criminality.

Source: Check Point
Dark clouds and Malware-as-a-Service
► The Nuclear operation accumulated revenue of $100,000 a month
► Attackers renting Nuclear servers to view and manage a malware campaign
► ‘Customers’ able to disseminate any malware via the console, but not permitted to target endpoints in
Azerbaijan, Armenia, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Uzbekistan
and Ukraine (Eastern Partnership)
► Developer may have resided within one of these jurisdictions and keen to avoid extradition

► Just as threat perpetrator motivations and capabilities vary from
group to group, so does OPSEC tradecraft
► Different actors have different requirements for privacy and anonymity
► Example: cyber crime forum operators must balance need to stay off
the radar of law enforcement with need to sell and market their
products
OPSEC and online criminality

Disrupt
Contain
Minimise
Redefining OPSEC for participants in the underground economy

► Participants in the underground economy are mindful of the threat
posed by law enforcement and intelligence agencies
► Transnational criminal enterprises actively track developments in the
media and academia, and pay off insiders to gain visibility into the
activities of policing organisations
► As quick adopters, technological developments make criminal
enterprises more agile and effective in meeting their operational
security objectives which are focussed on anonymity, disinformation,
disruption, secrecy, and containing exposure
► Yet, cybercriminals still face the conundrum of establishing trusted
relationships among criminal co-conspirators
► The human factor is the weakest link for security in both the legitimate
and underground economy
Threats, monitoring, early adopters, trust and the human factor

Uncovering
zero-day
vulnerabilities
Credential harvesting and target profiling
Developing
botnets and
malware
Scanning
systems for
items of value
to sell or exploit
Exploring
new
technologies
to leverage
and exploit
Following
media, blogs
and forums to
harvest open
intelligence
and react to
activities of
LEA
Research, development, and refining modus operandi

Source: Digital Shadows
Bulletproof hosting

Avoiding detection and obfuscation

Mentoring among cybercriminals

Use of codes / aliases for
communication
Dead dropping
Cryptography
Steganography
Compromised intermediaries
Spoofing
Hiding in safe jurisdictions
Anonymity networks and
proxy services
5
3
1
2
4
6
7
8
► “The idea is similar to using a twisty, hard-to-follow route in order to throw off somebody who is
tailing you - and then periodically erasing your footprints” (Tor)
Evasive techniques employed by miscreants

Ransomware evolving
Source: Symantec

► Malware is already becoming more situationally aware
so as to avoid detection and resist static analysis by
security researchers
► Nefarious code will evolve from the reactive
polymorphic modes of today to a more proactive
mission orientated design
► Like trained dogs sniffing for drugs at airports or
concealed explosive devices in warzones, it is
conceivable that cognitive computing will be used by
criminals to autonomously hunt and capture valuable
information from business networks and applications
► 16% of malware can recognise and exploit a virtual
machine environment - vulnerabilities such as VENOM
could allow attackers to escape a compromised virtual
machine and attack others on the same system, or
even attack the host hypervisor
Malware becoming more situationally aware
Source: Symantec

Source: Symantec
NEWER NASTY VARIANTS
STAMPADO
ENCRYPTING
THE ENCRYPTED
JIGSAW
COUNT DOWN
PUNITIVE DELETION
PHILADELPHIA
COUNT DOWN
RUSSIAN ROULETTE
► Miscreants are moving at a
much faster pace than
security countermeasures
► We can expect more targeted
and destructive attacks, but
also ransom demands that
vary based on the attacker’s
estimation of the value of the
data being held hostage
and/or the ability of the victim
to pay some approximation of
what it might be worth
► Increasingly attacks will target
data intensive organisations
like medical practices and law
and architectural firms
Crypto-ransomware

Source: Bleeping Computer
Forcing capitulation

Digital idealism

Digital realism

► Collaboration and information sharing
► Regional outposts as a visibility and compliance challenge
► Third-party vulnerabilities
► Understanding the shifting geopolitical landscape and impact on
worker demography
► Preparing for crisis management (security fire drills)
► Seeking to do more with less via automation, correlation, and threat
telemetry without due consideration around ‘care and feeding’
needed to drive these systems
► Organisations still seeing security as an IT issue
Security pain points for enterprises

► Misaligned reporting and governance structures can quickly lead to
dangerous blind spots
► Many organisations have a lack of clarity around security roles and
accountabilities
► Where silos exist and there is a disconnect between operational
teams and middle management, an impasse occurs
► Functions inside an enterprise can quickly go dark and become
starved of resources
► Effective communication channels between leadership and hands-on
technical roles are integral to inform decision making, and the budget
allocation
► Critically, the C-Suite needs to be aware of where valuable
information is disbursed across their enterprise and how a
compromise of that information will impact profitability, branding, and
reputation
Silos

► Organic and inorganic business growth changes the attack surface
and risk profile for an organisation
► As information systems converge and disparate networks are linked
together, new security vulnerabilities emerge
► Architects of secure environments carefully tailor their systems to
meet challenges within a specific context
► When the context shifts, so too will the stressors that impact these
systems
► For continuous security improvement to occur, change management
must be a key part of enterprise growth and contraction
Growth and change management

► For organisations that forward deploy their technology and human
assets into the businesses of their clients, these unfamiliar
environments will present new dangers
► This may be caused by differences in the way a business treats
physical security or cultural peculiarities impacting the behaviour of
the workforce in terms of how data is handled
► It's useful to consider this as analogous to taking an animal out of one
habitat and placing it into another
► Changes in climate and terrain impact the ecosystems and ultimately
alter the natural order of things
► Predators can quickly become prey
Forward deployment

1
2
3
4
Negative Social Media
Debilitating
operational pressure
Staff lockout from
system
Forensic investigation
and remediation costs
5Negative local and
international press
6Customer
notification costs
7
Costs for contractual
breach, litigation, and
fines from regulators
8Loss of customers
and loss of sales
9 Loss of jobs and
business failure
Breach tree

1. Notice the worry
NO YES
3. Ask: Can I do
something about it?
Let worry go Action plan
Change focus of
attention
What? When?
How?
NOW LATER
Do it!
Let worry go
Change focus of
attention
Let worry go
Change focus of
attention
Schedule it
Source: Adapted from Butler and Hope 2007
2. Ask: What am I
worrying about?
Worry tree

VFAC Review
No. 12 July & August 2016
https://eng.kic.re.kr/..
Considerations for defenders (open access)

IJCC
Vol. 9 January – June 2015
http://www.cybercrimejournal.com/..
Considerations for incident responders (open access)

UNODC
2013
https://www.unodc.org/..
Considerations for governments (open access)

United Nations - Comprehensive Study on Cybercrime
Source: UNODC
TRANSLATION LINKS
Spanish:
https://www.unodc.org/documents/organized-
crime/cybercrime/Cybercrime_Study_Spanish.pdf
Arabic:
crime/cybercrime/Cybercrime_Study_Arabic.pdf
Chinese:
crime/cybercrime/Cybercrime_Study_Chinese.pdf
English:
crime/cybercrime/CYBERCRIME_STUDY_210213
.pdf
French:
crime/cybercrime/Cybercrime_Study_French.pdf
Russian:
crime/cybercrime/Cybercrime_Study_Russian.pdf

c
Questions

Establishing_strategic_level_anaysis_Brown_-_CTI_and_IR_Conference_London_2016

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (17)

Similar to Establishing_strategic_level_anaysis_Brown_-_CTI_and_IR_Conference_London_2016

Similar to Establishing_strategic_level_anaysis_Brown_-_CTI_and_IR_Conference_London_2016 (20)

Establishing_strategic_level_anaysis_Brown_-_CTI_and_IR_Conference_London_2016