Cyber Threat Intelligence (CSOL 580)

Introduction

Cyber threat intelligence (CSOL580) is one of my favorite classes as it proactive deals with incoming threats, motives, and possible countermeasures. Every company that uses the internet in any shape or form must develop intelligence against the change threat landscape or risk of going out of business. From a government standpoint, a failure or lack of intelligence could mean catastrophe and death, such as the failure of intelligence in the September 11 terrorist attack.

Intelligence is more than information. It is the knowledge that has been specially prepared for a customer's unique circumstances (Carl J. Jensen, 2018). Any collection of data without filtering is just a collection of noise. A decision cannot be made successfully from noise. Information is the product of noise filtering. Once noise can be eliminated, purpose data begin to emerge. These purposeful data are now known as information. Applying critical thinking, a human value-added behavior, transform data into intelligence.

Cyber threat intelligence (CTI) defines the overall picture and assessments of (Intel & Analysis Working Group, 2020) intent and capabilities of malicious cyber threats. The overall picture includes the actors, tools, and TTPs, through identifying trends, patterns, and emerging threats and risks, to inform decision and policymakers or provide timely warnings. Cyber Threat Intelligence (CTI) is human value-added information. Skilled professional applies critical thinking to cyber information collected to produce cyber threat intelligence. CTI combines data, technology, process, and qualified professionals.

Coursework

Cyber Threat Intelligence Plan (CTIP)

Executive Summary

Being a global, multi-national digital insurance company, we are a tempting target for cybercriminals from all corners of the world. It is not a surprise that the world we operate in today is drastically different. Society today is technologically connected on the internet (cyberspace), carrying out all manners of personal and professional activities. The convergence of technology with the insurance industry was almost non-existence ten to twenty years ago. Today, technology integration into insurance systems is a must, and survival depends on leveraging technology. According to (Spaulding, 2020) insurance companies provide many products with different levels of complexity designed for different groups of people and other organizations. Today, the fast pace of technology-driven products adds another level of complexity to all insurance companies.

Our company, also online, is connected through the same cyberspace and accessible from anywhere worldwide. Cyberspace has changed our business landscape, allowing us to reach more customers and increased our bottom line. With our advanced online presence, we are also exposed to ever-increasing cybersecurity risks.

Year over year, cyber-attacks are proliferating and increased severity. According to (Qualys, 2020) Cybersecurity trends clearly show that attacks on computer networks will continue, and many will succeed. According to (Sobers, 2020), it is estimated that 71% of breaches were financially motivated, and 25% were motivated by espionage. As reported by (Radu, 2019), more than 2 million cyber incidents in 2018 caused at least $45 billion in losses. Along with the monetary loss are reputation damage and declining customer trust.

In this executive briefing, I will outline high-profile cyber threats, the threat actors, and their delivery methods that may affect the future of our business. I will also describe what we can do to thwart the threat via a risk reduction plan.

Two Recent Attacks

Garmin

On Wednesday, July 22, 2020, Garmin became a victim of a ransomware attack. Wearable device maker Garmin shut down some of its connected services and call centers on Thursday following what the company called a worldwide outage, now confirmed to be caused by a WastedLocker ransomware attack (Gatlan, 2020). According to (Whittaker, 2020), the incident began late Wednesday. It continued through the weekend, disrupting its online services for millions of users, including Garmin Connect, which syncs user activity and data to the cloud and other devices. The attack also took down flyGarmin, its aviation navigation, and its route-planning service.

During the attack, Garmin's initial reaction and response were silent. Garmin has said little about the incident so far (Whittaker, 2020). According to ZDNet (Dignan, 2020), Garmin has announced little about the event so far. Garmin tried to restore its digital properties to regular operations. The restore attempt failed, and Garmin panicked. Garmin was not prepared and had no backup plans. Garmin caved in and (landline, 2020) reportedly paid a hacker group $10 million last month to end a ransomware attack that knocked out large segments of its corporate networks. In Garmin's case, this is a victory for the cybercriminals.

Norsk Hydro

On March 19, 2019, cybercriminals activated ransomware exploit attacking Norsk Hydro's entire network causing total operation disruption. Incident responders determined the ransomware strain was LockerGoga, which has haunted the industrial sector (Stone, 2019). The malware caused severe operational disruption, so Norsk Hydro had to switch to manual operation to stay afloat (Zorz, 2019). The breach last March would ultimately affect all 35,000 Norsk Hydro employees across 40 countries, locking the files on thousands of servers and P.C.s. The financial impact would eventually approach $71 million (Briggs, 2019). It took Norsk Hydro more than three months to recover before resuming regular operation.

Threats, Threat Actors, Method of Delivery

A cyber threat can vary from nuisances, such as someone change our website colors, to malicious attacks causing infrastructure blackouts and total disruptions to our daily operations. Cyber threats are never static, and millions being created every year (Taylor, 2020). It is essential to understand that risks are not singular events but a combination of multiple threats from multiple delivery channels. Various threat actors voluntarily share skills and tactics, producing potent threats capable of destroying entire infrastructure and ecosystems.

Threats (Taylor, 2020)

Type	Nature of threat	Method of Delivery	Threat actors
Malware	Software designed to perform malicious tasks against devices or network computers to destroy data or take over control	Malware is usually delivered via phishing or through a trojan horse	Botnet Operators (Rouse, 2049)- Botnet Operators are cybercriminals who control many connected computers (usually in the millions) and internet of things (IoT) devices they compromised with their malware. Hackers (malwarebytes, 2020)- Hackers are people with the ability and tools to compromise computer systems. Some hackers compromise computer systems for an unlawful purpose, and others are out of curiosity. Insider Threats are perpetrated by employees and other trusted persons with access to our system. Phishers (ftc.gov, 2019) Phishers are scammers who use email or text messages to trick you into giving them your personal information.
Phishing	An email-borne attack involves tricking the email recipient into disclosing confidential information or downloading malware by clicking on a hyperlink in the message.	Threat actors use social engineering to trick unsuspecting employees or users into accepting an email or clicking an infected link with an attached malware
Spear Phishing	A more sophisticated form of phishing is where the attacker learns about the victim and impersonates someone they know and trust.	Spear phishing is similar to a phishing scam, but it is highly targeted to an intended user or employee. Usually, these employees have escalated system access.
Man in the Middle	The attacker establishes a position between the sender and recipient of a message or transaction and intercepts the message. The attacker can redesign the message with injected malware before resending it to the recipient.	Threat actors eavesdropping attack occurs when a malicious actor inserts himself as a relay/proxy into a communication session between people or systems. A MITM attack exploits the real-time processing of transactions, conversations, or other data transfers (Veracode, 2020).
Trojans	Named after the Trojan Horse of ancient Greek history, the Trojan is a type of malware that enters a target system looking like one thing, e.g., a standard piece of software, but then lets out the malicious code once inside the host system.	The threat actor uses a method called the trojan horse to slip in malware and viruses by tricking the user into executing the malware, thinking it is a safe activity
Ransomware	Ransomware is malware designed to take over its target by encrypting data or destroying the whole infrastructure in exchange for money or just purely for disruption	Ransomware usual method of delivery is via phishing, spear-phishing, and the trojan horse method
Botnet	Botnets are an army of infected computers under the control of the attacker	Botnet Operators are cybercriminals who have authority over many connected networks (usually in the millions) and internet of things (IoT) devices they compromised with their malware.
Third/Fourth Party	Third- and forth-party vendors are who compromised with malicious malware are used as an attack vector to the intended target	Threat actors infect a vendor or contractor with access to the goal. Once the employees with elevated access to the vendors, the malware is delivered.

Emerging Cyber Threats

The cyber threat landscape is dynamic, and new threats are developed daily—the Cyber Kill Chain® talks about an emerging concept called Advance Persistence Threats (APT). Threat actors are designing malware that allows them to remain in the network and maintain persistency without detection. Threat actors can (Taylor, 2020) lurked inside the company's system for months, evading detection while exfiltrating enormous amounts of data.

Risk Reduction Plan

The Cyber Kill Chain ®

The Cyber Kill Chain, developed by Lockheed Martin, describes seven steps of a cyber-attack. The actual steps in a kill chain trace the typical stages of a cyber-attack from early reconnaissance to completion, where the intruder achieves the cyber intrusion. Analysts use the string to detect and prevent advanced persistent threats (APT) (Beal, 2020). Understanding each step of The Cyber Kill Chain® helps us understand the nature and method of the attack. With this understanding, we can implement a well-rounded Cyber Intelligence Plan (CTIP).

Leveraging the Cyber Kill Chain®, Lockheed Martin recommends five specific steps implemented as the threat progress through The Cyber Kill Chain®. The five steps are to Detect, Deny, Disrupt, Degrade, and Deceive, designed as countermeasures to reduce and stop an attack. The table below outlines the steps through The Cyber Kill Chain®.

Step	The Cyber Kill Chain®	Description (Mukherjee, 2017)	Example (Beal, 2020)	Mitigation
1	Reconnaissance	The intruder selects a target, researches it, and attempts to identify vulnerabilities in the target network.	harvest email accounts	Detect, Deny
2	Weaponization	Intruder creates remote access malware weapons, such as a virus or worm, tailored to one or more vulnerabilities.	couple an exploit with a backdoor	Detect, Deny
3	Delivery	Intruder transmits weapon to target (e.g., via email attachments, websites, or USB drives)	deliver bundle via email or Web	Detect, Deny, Disrupt, Degrade
4	Exploitation	Malware weapon's program code triggers, which takes action on the target network to exploit the vulnerability.	use a vulnerability to execute code	Detect, Deny, Disrupt
5	Installation	Malware weapon installs access point (e.g., "backdoor") usable by the intruder.	Install malware on the target	Detect, Disrupt
6	Command and Control	Malware enables intruders to have "hands on the keyboard" persistent access to the target network.	Command channel for remote manipulation	Detect, Deny, Disrupt, Degrade, Deceive
	Actions on Objectives	Intruder takes action to achieve its goals, such as data exfiltration, data destruction, or encryption for ransom.	Access for the intruder to accomplish the goal	Detect, Degrade, Deceive

Risk Mitigation Plan

Although we can build cybersecurity infrastructure in-house, it will be too costly staffing for a new cybersecurity team. There would also be a significant learning curve while our cyber-security team plays "catch-up." As a stop-gap measure, I recommend we implement a product called Falcon from Crowdstrike. Crowdstrike is a cybersecurity firm that prides themselves of their deep network sensors, artificial intelligence, and skilled cybersecurity analysts across its client base to protect and fight against cyber-attacks preemptively. Crowdstrike deploys sensors to endpoint devices and leverages collected data to develop actionable intelligence.

Crowdstrike's Falcon platform is an endpoint cybersecurity solution that provides visibility and protection. Additionally, it collects and aggregates information augmenting its intelligence engine for consumption system-wide. Falcon is a cloud-based solution that only requires a small executable installed at each endpoint. The beauty of Falcon is that absolutely no on-premise deployment is needed. Falcon supports all the popular operating systems, is lightweight, and runs in the background. Falcon provides real-time, as well as historical, analysis within our enterprise network. The real power of Falcon is the Crowdstrike Security Operation Team, deployed around the world, mining collected data from sensors to notify and preemptively protect assets from attacks.

What is the TCO (Total Cost of Ownership)?

The Total Cost of Ownership (TCO) chart below shows the five-year cost of implementing the Crowdstrike Falcon technology. Since Falcon is a cloud-based solution, there is minimal initial cost because no new hardware is required. Installation of the Falcon software can be automatically installed during an automated endpoint system update.

The TCO for implementing Falcon in year one is $713,640.00 for all 3000 endpoints within the company. Subsequent years are at the cost of $693,640.00 and an additional $10,000.00 for decommissioning if required.

Plan B

As with any cybersecurity solution and protection, they are not perfect. Crowdstrike is the right solution, but we shall not rely on anyone's tool. Plan B assumes a breached into our infrastructure occurred and how the breach will be mitigated.

Plan B Response	Description
Automated detect and respond	An advanced artificial intelligence (A.I.)analytic engine was developed to detect malware attributes and behavior. Once a suspected malware is detected, A.I. shall alert and quarantine the suspected malware
Privileged access management, no local admin	No local administration account on any servers, nodes, or user machine. Administration permission must go through an approval process and change request.
Business continuity plan, plan that doesn't rely on I.T. systems	Manual operation readiness, Manually document everything required to operate without computers
Weekly Offline backup	Implement an offsite weekly backup infrastructure decoupled from the production environment

Conclusion

When we are breached, so are our customers (Radware, 2020). Safeguarding our infrastructure and customer data is becoming increasingly complex and costly. We realize that no industry, including ours, is immune to cyber threats. We are dealing with modern cybercriminals who are Advanced (skillful) and Persistent in the Threats (APT) they carry out.

Cybercriminals have all the time in the world to pre-plan an attack. We must consider being on both the defensive and offensive side while developing our cyber intelligence strategy. We need to assess our technologies and the landscape we operate within. We need to evaluate and train our most vulnerable resource, our employees. While there is no such thing as perfect protection against cyber threats, I believe implementing a cybersecurity partner will prove a stop-gap. We can reassess Crowdstrike next year and take the implementation in-house if it makes more sense. Thank you for your time.

References

Beal, V. (2020). Cyber Kill Chain. Retrieved from https://www.webopedia.com: https://www.webopedia.com/TERM/C/cyber-kill-chain.html

Briggs, B. (2019, 12 16). Hackers hit Norsk Hydro with ransomware. The company responded with transparency. Retrieved from https://news.microsoft.com: https://news.microsoft.com/transform/hackers-hit-norsk-hydro-ransomware-company-responded-transparency/

Buddy, P. (2016, 10 08). Total Cost Of Ownership. Retrieved from youtube.com: https://www.youtube.com/watch?v=YKdcEOTA7Pk

Dignan, L. (2020, 07 27). Garmin's outage, ransomware attack response lacking as earnings loom. Retrieved from https://www.zdnet.com: https://www.zdnet.com/article/garmins-outage-ransomware-attack-response-lacking-as-earnings-loom/

Gatlan, S. (2020, 07 24). Garmin outage caused by confirmed WastedLocker ransomware attack. Retrieved from https://www.bleepingcomputer.com: https://www.bleepingcomputer.com/news/security/garmin-outage-caused-by-confirmed-wastedlocker-ransomware-attack/

Hallas, N. (2019, 10 24). Trends in Cybersecurity Breaches Continue in 2019. Retrieved from https://blog.auditanalytics.com: https://blog.auditanalytics.com/trends-in-cybersecurity-breaches-continue-in-2019/

Intel & Analysis Working Group. (2020). What is Cyber Threat Intelligence? Retrieved from https://www.cisecurity.org: https://www.cisecurity.org/blog/what-is-cyber-threat-intelligence/

landline. (2020, 08 07). Report claims Garmin paid $10 million in ransomware attack. Retrieved from https://landline.media: https://landline.media/report-claims-garmin-paid-10-million-in-ransomware-attack/

Mukherjee, A. (2017, 08 31). Cyber Kill Chain. Retrieved from http://malaysiasecuritymagazine.com: http://malaysiasecuritymagazine.com/cyber-kill-chain/

Qualys. (2020). Cyber Security Trends: Aiming Ahead of the Target to Increase Security in 2017. Retrieved from https://www.qualys.com: https://www.qualys.com/forms/whitepapers/sans-cyber-security-trends-increase-security-2017/

Radu, S. (2019, 07 12). The Financial Losses From Cybercrimes Are Up. Retrieved from https://www.usnews.com/: https://www.usnews.com/news/best-countries/articles/2019-07-12/financial-losses-from-cybercrimes-rose-in-2018-group-says#:~:text=More%20than%202%20million%20cyber,organizations%20that%20track%20data%20breaches.

Radware. (2020, 08 06). When You Get Breached, So Do Your Customers. Retrieved from https://blog.radware.com: https://blog.radware.com/security/attack-types-and-vectors/2020/08/when-you-get-breached-so-do-your-customers/

Sobers, R. (2020, 07 21). 110 Must-Know Cybersecurity Statistics for 2020. Retrieved from https://www.varonis.com: https://www.varonis.com/blog/cybersecurity-statistics/

Spaulding, W. C. (2020). Insurance Markets. Retrieved from https://thismatter.com: https://thismatter.com/money/insurance/insurance-markets.htm#:~:text=Because%20insurance%20market%20is%20competitive,to%20increase%20their%20market%20share.

Stone, J. (2019, 10 28). Norsk Hydro's cyber insurance has paid just a fraction of its breach-related losses so far. Retrieved from https://www.cyberscoop.com: https://www.cyberscoop.com/cyber-insurance-norsk-hydro-lockergoga-attack/

Taylor, h. (2020, 01 22). What Are Cyber Threats and What to Do About Them. Retrieved from https://preyproject.com: https://preyproject.com/blog/en/what-are-cyber-threats-how-they-affect-you-what-to-do-about-them/

Veracode. (2020). MAN IN THE MIDDLE (MITM) ATTACK. Retrieved from https://www.veracode.com/: https://www.veracode.com/security/man-middle-attack#:~:text=Man%2Din%2Dthe%2Dmiddle%20is%20a%20type%20of%20eavesdropping,or%20transfer%20of%20other%20data.

Whittaker, Z. (2020, 07 25). https://techcrunch.com. Retrieved from https://techcrunch.com: https://techcrunch.com/2020/07/25/garmin-outage-ransomware-sources/

Zorz, Z. (2019, 03 20). Norsk Hydro cyber attack: What happened? Retrieved from https://www.helpnetsecurity.com: https://www.helpnetsecurity.com/2019/03/20/norsk-hydro-cyber-attack/

Deloitte. (2020). Change the game: Understand your organization through an adversarial lens. Retrieved from https://www2.deloitte.com: https://www2.deloitte.com/us/en/pages/public-sector/articles/understand-organization-adversarial-lens-advanced-cyber-reconnaissance-analytics-federal-government-public-sector.html

University of San Diego. (2020). Adverisial Threat Intelligence. San Diego, CA, USA.

Reflection

I believe the adversarial assessment is a must-do activity for any business or government to survive. You must constantly assess and re-assess the competition landscape. Part of the landscape scene understands what your adversaries are doing. An adversary only needs to identify one vulnerability to gain access. By following the adversary’s perspective, an agency can “change the game,” shifting the focus to a strength-based position; thereby, reducing the effectiveness of basic and advanced adversaries (Deloitte, 2020).

From an ethical and professional point of view, private companies and government agencies will be at a significant disadvantage if they do not regularly conduct adversary assessments. Thus, I believe the adversarial review on competitors is ethical, but it depends on the collection process. The collection process to gain adversary intelligence must be conducted using available publicly and “open source intelligence (University of San Diego, 2020).” I think there is no limit to the aggressiveness on ways to gain adversary intelligence as long as it is ethical, moral, and does not break the law. As a rule of thumb, anything available and accessible in the public domain is fair game.

​Cyber Threat Intelligence (CSOL 580)

Introduction

Coursework

Norsk Hydro

References

Reflection

Cyber Threat Intelligence (CSOL 580)