The document discusses the complexities of cyber threat prioritization, emphasizing that organizations often rely on simplistic criteria related to their sector or region, which can lead to missed opportunities for prevention. It outlines factors influencing the selection of cyber crime, cyber espionage, and hacktivism targets, including accessibility of resources, public perception, and the prominence of information. Ultimately, organizations are encouraged to assess threats based on a broader perspective, considering how various adversaries may target them beyond traditional boundaries.

1. SESSION ID:SESSION ID:
#RSAC
John Miller
Your Sector Doesn’t Matter:
Achieving Effective Threat Prioritization
GRC‐R03
Manager, Threat Intelligence
Financial Crime Analysis Group
FireEye
John Hultquist
Manager, Threat Intelligence
Cyber Espionage Analysis Group
FireEye

2. #RSAC
The Problem

3. #RSAC
The Problem
3
Probability Impact Risk
Today’s focus: What influences probability of cyber threats?

4. #RSAC
The Problem
Organizations frequently answer “what threats should I care about?” based
on relatively simple criteria, particularly what’s happening in their sector…

5. #RSAC
The Problem
5
…or in their region…

6. #RSAC
The Problem
… BUT
Threat actors don’t consistently select their victims that way.
THE RESULT: Organizations miss opportunities to prevent loss
rather than remediate damage.
UP NEXT: What factors actually influence which threats affect who?

7. #RSAC
How are targets selected?
Cyber Crime

8. #RSAC
Cyber Crime: Target Selection
Cyber Crime: Abuses of computer systems to steal victims’ money, goods, or services.

9. #RSAC
Cyber Crime Target Selection
What influences relevance of cyber crime threats?
Footprint Services Resources
What infrastructure
do you have?
What do you
provide?
What do you depend
on internally?

10. #RSAC
Cyber Crime Target Selection: Footprint
Ransomware: Background
Malware encrypts victims’ devices or data,
demands ransom
Often associated with credential theft capability
Improved service models resulting in rapid
proliferation
Growing emphasis on encrypting even if C&C
traffic blocked

11. #RSAC
Cyber Crime Target Selection: Footprint
Ransomware: Targeting
• Campaigns typically indiscriminate; group victims by country due to
social engineering, ransom payment logistics, ransom amount
• Associated self‐proliferation capabilities allow infection expansion
without regard to target
• eCrime market models focus on maximizing user bases
Risk influenced by: Your accessibility via malware delivery mechanisms
(email) and ability for malware to run (OS types used)

12. #RSAC
Cyber Crime Target Selection: Footprint
• Low variation between industries
• Decreasing variation with
increasing detections

13. #RSAC
Cyber Crime Target Selection: Services
Trade‐Based Laundering: Background
• Many eCrime operations purchase and resell goods
and services continuously to launder stolen funds
• Mule networks (may be for‐hire) move physical goods
• Gift cards offer rapid laundering mechanism
• Hospitality, travel, entertainment tickets booked just before event
• Resold to unsuspecting consumers, other criminals
• Resold in underground, grey‐market sites, multi‐vendor sites

14. #RSAC
Cyber Crime Target Selection: Services
Trade‐Based Laundering: Targeting
• All types of popular, easily‐resold
goods and services abused
• Changes in item popularity or anti‐fraud barriers
drive criminals to next best alternative
Risk influenced by: Popularity of goods and services you sell

15. #RSAC
Cyber Crime Target Selection: Resources
Corporate Account Takeover: Background
• Advanced credential theft malware compromises
organizations’ accounts with variety of services for fraud
• Leverage advanced authentication bypass techniques
• Tactic offers higher value per compromise than
stereotypical consumer account takeover
• Potential examples: Dridex, TrickBot, GozNym…

16. #RSAC
Cyber Crime Target Selection: Resources
Corporate Account Takeover: Background
Service Compromised Potential Monetization
Card Management Monetary Theft
Cash Management Monetary Theft
Corporate Banking Monetary Theft
Data Security Data Theft
Fulfillment Shipping Diversion or Abuse
Recruiting Money Mule Recruiting
Technology Fraudulent Purchases

17. #RSAC
Cyber Crime Target Selection: Resources
Corporate Account Takeover: Targeting
• Distribution leverages combination of mass spam
with tailoring (can be automated) to recipient
• Compromise services offering opportunity to capitalize
on perpetrators’ monetization and laundering capabilities
Risk influenced by: Your use of typically‐outsourced platforms
for finance, HR, shipping, etc.

18. #RSAC
How are targets selected?
Cyber Espionage

19. #RSAC
Cyber Espionage Target Selection
Cyber Espionage: Abuses of computer systems to conduct surveillance
or monitor, in order to create corporate or political advantage.

20. #RSAC
Cyber Espionage Target Selection
What influences relevance of cyber espionage threats?
Information
Access
Prominence
or Criticality
Presence
What is accessible from
your environment?
How would attacking
you affect others?
Where are you
located or active?

21. #RSAC
Espionage Target Selection: Scenario 1

22. #RSAC
Espionage Target Selection: Scenario 2

23. #RSAC
Espionage Target Selection: Scenario 3

24. #RSAC
How are targets selected?
Hacktivism

25. #RSAC
Hacktivism: Target Selection
Hacktivism: Disruptive abuses of computer systems to achieve political,
religious, nationalistic, social, and other goals.

26. #RSAC
Hacktivism: Target Selection
What influences relevance of hacktivism threats?
Associations Image Exposure
What are your actual or
presumed relationships?
What are public
perceptions of you?
How hardened are you
to threat activity?

27. #RSAC
Hacktivism Target Selection: Associations
Dyn DDoS: Background
• Mid‐October: Dyn Managed DNS suffers repeat
attacks disrupting service to many customers
• Attacks use Mirai botnet, variant of Gafgyt Linux bot
• Followed reports of attacks up to 1.5 Tbps using
same capability
• Multiple links to hacktivist activity

28. #RSAC
Hacktivism Target Selection: Associations
Dyn DDoS: Targeting
• Dyn DDoS was directly attacked, but other high‐profile
organizations suffered downtime and associated
potential losses
• Critical service providers an attractive target
in many cases
Risk influenced by: What external providers victims
depended on

29. #RSAC
Hacktivism Target Selection: Image
OpIcarus: Background
• Hacktivist activity against financials to protest
alleged corruption
• Diverse financials affected; heaviest DDoS
concentration against central banks
• Key actors include “Harvey Harris,”
“Ghost Squad Hackers”

30. #RSAC
Hacktivism Target Selection: Image
OpIcarus: Targeting
• Virtually any financial a target consistent
with narrative
• Others involved in alleged corruption also
affected (e.g. energy)
Risk influenced by: Perception of alleged corruption

31. #RSAC
Hacktivism Target Selection: Exposure
OpRussia: Background
• Anti‐Russia hacktivist campaign
• Mass defacement of Russian websites
• Indications of DDoS attacks

32. #RSAC
Hacktivism Target Selection: Exposure
OpRussia: Targeting
• Many Russian sites potential targets
• Mirrors targeting characteristics of many
hacktivist campaigns based on narratives
consistent with disparate attacks
Risk influenced by: Any connection, however
tangential, to Russia; website vulnerability

33. #RSAC
What should I do?

34. #RSAC
Application
 Evaluate threat probability for your organization based on the factors
shaping adversaries’ targets from adversaries’ perspective
 What significant threats exist?
 Who are they affecting and why?
 Particularly, who are threats affecting outside where organizations typically look –
“my sector,” “my region”?
 How much does the “why” apply to me also?
 Assume internal risk‐related conversations and decision‐making may
require initial level set

35. #RSAC
Application
This presentation was…
How to evaluate threats
for relevance
This presentation was not /
continuing action required…
Identify existing and potential
threats to evaluate
Gain understanding needed
to evaluate them

36. #RSAC
Application
Associations Image Exposure
What are your actual or
presumed relationships?
What are public
perceptions of you?
How hardened are you
to threat activity?
Information Access
Prominence or
Criticality
Presence
What is accessible from
your environment?
How would attacking
you affect others?
Where are you located
or active?
Footprint Services Resources
What infrastructure
do you have?
What do you
provide?
What do you depend
on internally?

37. #RSAC
Discussion