Presentation is loading. Please wait.

Presentation is loading. Please wait.

Who Is Attacking You? Distinguishing Motivation to Prioritize Threats John Hultquist Senior Manager, Cyber Espionage Threat Intelligence iSIGHT Partners.

Published byNicholas Banks Modified over 9 years ago

Similar presentations

Presentation on theme: "Who Is Attacking You? Distinguishing Motivation to Prioritize Threats John Hultquist Senior Manager, Cyber Espionage Threat Intelligence iSIGHT Partners."— Presentation transcript:

1 Who Is Attacking You? Distinguishing Motivation to Prioritize Threats John Hultquist Senior Manager, Cyber Espionage Threat Intelligence iSIGHT Partners

2 Just another Zeus? Proprietary and Confidential Information. © Copyright 2014, iSIGHT Partners, Inc. All Rights Reserved www.isightpartners.com 2

3 Who Cares? Proprietary and Confidential Information. © Copyright 2014, iSIGHT Partners, Inc. All Rights Reserved www.isightpartners.com 3  Limited resources – Thousands of events a day – Security budgets are a cost center – Noone cares about your non- contextualized “incidents” – Not all incidents are the same – Tough choices are inevitable Bloomberg

4 Who Cares?  Security priorities should reflect differences in organizations  Two distinguishing features of organization – Likelihood of being targeted  Intellectual property  Access to commodity data  Access to strategic information  Antagonistic relationships  High-value interactions (negotiations, mergers and acquisitions) – Relevance of effects on an organization  Loss of competitive advantage – Strategic: Research and development – Tactical: Negotiations  Brand damage  Customer confidence  Donor or investor confidence Proprietary and Confidential Information. © Copyright 2014, iSIGHT Partners, Inc. All Rights Reserved www.isightpartners.com 4

5 Who Cares? Proprietary and Confidential Information. © Copyright 2014, iSIGHT Partners, Inc. All Rights Reserved www.isightpartners.com 5 Microchip Manufacturer Consumer Retail Global Nongovernmental Organization Strong intellectual property No brand or public antagonism Regular high-value negotiations High-profile valuable brand Steward of commodity financial data Antagonistic relationship with labor Popular; few antagonists Heavily involved in geopolitics Steward of donor information Cyber Espionage Cybercrime Hacktivism Cyber Espionage Cybercrime

6 Who? Proprietary and Confidential Information. © Copyright 2014, iSIGHT Partners, Inc. All Rights Reserved www.isightpartners.com 6 Hacktivism Actors motivated by ideology, reputation and ego. Attacks often triggered by corporate and political actions, major news events, etc. Cyber Espionage Government-sponsored or affiliated actors and groups seeking intelligence and intellectual property.

7 The Cybercrime Threat  Noisiest realm for the enterprise  Two types of theats – Opportunistic – Targeted  Market-driven – Scalability and Efficiency – Opportunities for niche sales – Aftermarket Proprietary and Confidential Information. © Copyright 2014, iSIGHT Partners, Inc. All Rights Reserved www.isightpartners.com 7 Cybercriminal Intent:  Compromise  Exfiltrate  Maintain Access  Enable Fraud  Disrupt

8 The Hacktivist Threat  Motivated by “isms” – Nationalism, Religion, Ethnicity, Environment – Ego  Overt – Advance threats – Open communications – Overt endgame Proprietary and Confidential Information. © Copyright 2014, iSIGHT Partners, Inc. All Rights Reserved www.isightpartners.com 8 Hacktivist Intent:  Compromise  Exfiltrate  Destroy  Disrupt  Dump  Deface  Embarrass

9 The Cyber Espionage Threat  Gentleman Spy – Covert – Often distinguished by the lack of visible outcomes – At least he won’t embarrass you.  aPT?  Rarely employing sophisticated deception  Regularly betray their interests Proprietary and Confidential Information. © Copyright 2014, iSIGHT Partners, Inc. All Rights Reserved www.isightpartners.com 9 Cyber Espionage Intent:  Compromise  Exfiltrate  Maintain Access  Enable Information Advantage

10 A Note on Attribution  Key to self-assessment, external collection, and warning  If you can attribute to a known group, and you know there MO, you are ahead of the game  History is the most important insight Proprietary and Confidential Information. © Copyright 2014, iSIGHT Partners, Inc. All Rights Reserved www.isightpartners.com 10 Actor Sender Code C2

11 Distinguishing Features  History  Actions on Objective  Targeting  Malware Capability  Exploits  Infrastructure Proprietary and Confidential Information. © Copyright 2014, iSIGHT Partners, Inc. All Rights Reserved www.isightpartners.com 11

12 Actions on Objective  Persistence over time – CE intrusions are measured in years – Cybercrime intrusions measured in months – Hacktivist intrusion measured in days  Type of information collected – Documents and emails – Commodity financial data Proprietary and Confidential Information. © Copyright 2014, iSIGHT Partners, Inc. All Rights Reserved www.isightpartners.com 12 Krebs

13 Targeting  Function or role of targeted personnel  Source and exclusivity of target information  Social engineering  Watering hole choices Proprietary and Confidential Information. © Copyright 2014, iSIGHT Partners, Inc. All Rights Reserved www.isightpartners.com 13

14 Targeting Proprietary and Confidential Information. © Copyright 2014, iSIGHT Partners, Inc. All Rights Reserved www.isightpartners.com 14

15 Malware  Historical use of malware – Limited value  Propagation and access to malware – Exclusivity is hard to measure  Malware functionality – Document and CAD exfiltration – Financial credential harvesting  Exploits – Zero-days are not only the realm of CE Proprietary and Confidential Information. © Copyright 2014, iSIGHT Partners, Inc. All Rights Reserved www.isightpartners.com 15

16 Infrastructure  DGA and fastflux techniques are most often used in large-scale criminal campaigns  Targeting may be present in domains or senders – Consillium.proxydns.com – Unhq.dynssl.com – Voanews.proxynews.com – Secretariat.lukash@gmail.com – Kulkov.bric@gmail.com Proprietary and Confidential Information. © Copyright 2014, iSIGHT Partners, Inc. All Rights Reserved www.isightpartners.com 16 Actor Code C2 Sender

17 Making sense of the data points  Not an engineering/math problem  Work with imperfect data  Ultimately produce a judgment – High confidence – Medium confidence – Low confidence  Analysis of competing hypothesis can help us judge between adversary motivations Proprietary and Confidential Information. © Copyright 2014, iSIGHT Partners, Inc. All Rights Reserved www.isightpartners.com 17

18 Analysis of Competing Hypothesis Proprietary and Confidential Information. © Copyright 2014, iSIGHT Partners, Inc. All Rights Reserved www.isightpartners.com 18 Evidence Cyber EspionageCybercrimeHacktivism No data dumping eventConsistent Highly Inconsistent Zeus malware available through marketplaceNeutral Government social engineering Highly ConsistentInconsistentConsistent No specific targeting for fraudConsistentInconsistentConsistent Multiple year durationConsistentInconsistentConsistent Extra document exfiltration capabilityConsistentInconsistentConsistent Targets acquired through Stratfor, TRC Highly ConsistentConsistent

19 Questions jhultquist@isightpartners.com Proprietary and Confidential Information. © Copyright 2014, iSIGHT Partners, Inc. All Rights Reserved www.isightpartners.com 19

Download ppt "Who Is Attacking You? Distinguishing Motivation to Prioritize Threats John Hultquist Senior Manager, Cyber Espionage Threat Intelligence iSIGHT Partners."

Similar presentations

Cyber Crime and Technology

Cyber Crime and Technology
Chapter 3 E-Strategy.

Chapter 3 E-Strategy.
1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.
Life Science Services and Solutions

Life Science Services and Solutions
Security Life Cycle for Advanced Threats

Security Life Cycle for Advanced Threats
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
Jacky Altal. T O C  Hackers Terminology  Cyber attacks in 2012 (so far…)  Nations Conflict  Cyber Motives  Characteristics of CyberCrime  DEMO –

Jacky Altal. T O C  Hackers Terminology  Cyber attacks in 2012 (so far…)  Nations Conflict  Cyber Motives  Characteristics of CyberCrime  DEMO –
UNCLASSIFIED Cybercrime: The Australian Experience Australian Cybercrime Online Reporting Network (ACORN) Conference Assistant Commissioner Tim Morris.

UNCLASSIFIED Cybercrime: The Australian Experience Australian Cybercrime Online Reporting Network (ACORN) Conference Assistant Commissioner Tim Morris.
Threat Intelligence Use in Information Security: History, Theory and Practice Tim Gallo Cyber Security Field Engineering 1.

Threat Intelligence Use in Information Security: History, Theory and Practice Tim Gallo Cyber Security Field Engineering 1.
1© Copyright 2014 EMC Corporation. All rights reserved. Securing the Cloud Gintaras Pelenis Field Technologist RSA, the Security Division of EMC

1© Copyright 2014 EMC Corporation. All rights reserved. Securing the Cloud Gintaras Pelenis Field Technologist RSA, the Security Division of EMC
Threats to the Aviation Sector

Threats to the Aviation Sector
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
Classification The Threat Environment Joyce Corell, NCSC Assistant Director for Supply Chain National Defense Industrial Association Global Supply Chain.

Classification The Threat Environment Joyce Corell, NCSC Assistant Director for Supply Chain National Defense Industrial Association Global Supply Chain.
English Arabic Cyber Security: Implications of recent breaches MENOG April 2015.

English Arabic Cyber Security: Implications of recent breaches MENOG April 2015.
Security for Today’s Threat Landscape Kat Pelak 1.

Security for Today’s Threat Landscape Kat Pelak 1.
The Cyber Threat Intelligence Experts

The Cyber Threat Intelligence Experts
1 Cyber Risk – What can you do…? Chris Clark Managing Director, Prosperity 24.7.

1 Cyber Risk – What can you do…? Chris Clark Managing Director, Prosperity 24.7.
1 Getting Beyond Standalone Antivirus to Advanced Threat Protection Eric Schwake Sr. Product Marketing

1 Getting Beyond Standalone Antivirus to Advanced Threat Protection Eric Schwake Sr. Product Marketing
ECE-6612 Prof. John A. Copeland 404 894-5177 Advanced Persistent Threat Material.

ECE Prof. John A. Copeland Advanced Persistent Threat Material.
SPEAKER BLITZ ERIC BROWN Senior Systems Engineer NICK JAVANOVIC DoD Regional Sales Manager.

SPEAKER BLITZ ERIC BROWN Senior Systems Engineer NICK JAVANOVIC DoD Regional Sales Manager.

Similar presentations

Ads by Google