Episode 27
Actionable Threat Intelligence and the Dark Web
In a recent news release, Reuters reported that "United States has offered a $15 million reward for information on Conti ransomware group. The FBI estimates that more than 1,000 victims of the Conti group have paid a total in excess of $150 million in ransomware payments." Victoria Kivilevich, Director of Threat Research at KELA Group, describes the cybercrime ecosystem and provides guidance on how to gain and leverage actionable intelligence from dark and deep web resources.
To access and download the entire podcast summary with discussion highlights --
https://www.dchatte.com/episode-27-actionable-threat-intelligence-and-the-dark-web/
Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast
Please subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.
Connect with Dr. Chatterjee on these platforms:
LinkedIn: https://www.linkedin.com/in/dchatte/
Website: https://dchatte.com/
Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338
Transcript
Welcome to the Cybersecurity Readiness Podcast
Introducer:Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of
Cybersecurity Readiness:A Holistic and High-Performance
Cybersecurity Readiness:Approach. He has been studying cybersecurity for over a decade,
Cybersecurity Readiness:authored and edited scholarly papers, delivered talks,
Cybersecurity Readiness:conducted webinars, consulted with companies, and served on a
Cybersecurity Readiness:cybersecurity SWAT team with Chief Information Security
Cybersecurity Readiness:officers. Dr. Chatterjee is an Associate Professor of
Cybersecurity Readiness:Management Information Systems at the Terry College of
Cybersecurity Readiness:Business, the University of Georgia and Visiting Professor
Cybersecurity Readiness:at Duke University's Pratt School of Engineering.
Dr. Dave Chatterjee:Hello, everyone. I'm delighted to
Dr. Dave Chatterjee:welcome you to this episode of the Cybersecurity Readiness
Dr. Dave Chatterjee:Podcast Series. Our discussion today will revolve around
Dr. Dave Chatterjee:gathering and leveraging threat intelligence. Victoria
Dr. Dave Chatterjee:Kivilevich, Director of Threat Research at KELA Group will shed
Dr. Dave Chatterjee:light on the subject. KELA Group is a global leader in
Dr. Dave Chatterjee:providing threat intelligence services. So Victoria, welcome.
Victoria Kivilevich:Hi, it's a pleasure.
Dr. Dave Chatterjee:To set the stage for our discussion, in a
Dr. Dave Chatterjee:recent news release, Reuters reported that United States has
Dr. Dave Chatterjee:offered a $15 million reward for information on the Conti
Dr. Dave Chatterjee:ransomware group. The Conti ransomware group is being blamed
Dr. Dave Chatterjee:for cyber extortion attacks worldwide. The FBI estimates
Dr. Dave Chatterjee:that more than 1000 victims of the Conti Group have paid a
Dr. Dave Chatterjee:total in excess of $150 million in ransomware payments. We will
Dr. Dave Chatterjee:talk about the Conti Group and more. But let's begin by
Dr. Dave Chatterjee:providing listeners an overview of the Dark Web. So Victoria,
Dr. Dave Chatterjee:what is the Dark Web.
Victoria Kivilevich:So technically, Dark Web is a part
Victoria Kivilevich:of the internet that isn't indexed by search engines, and
Victoria Kivilevich:that requires some specific software, configurations or
Victoria Kivilevich:other means to access it. And apart from Deep Web, which
Victoria Kivilevich:includes all non-indexed and non-public facing pages -- for
Victoria Kivilevich:example, intranet or some paywall- protected pages --
Victoria Kivilevich:apart from that, Dark Web is intentionally hidden and it can
Victoria Kivilevich:be accessed only via the browser, which is called Tor
Victoria Kivilevich:(The Onion Router). And Dark Web is often associated with illegal
Victoria Kivilevich:and cybercrime activities. And it's true, but it's important to
Victoria Kivilevich:remember that some legitimate platforms are also located in
Victoria Kivilevich:the Tor network. There are people who prefer to use such
Victoria Kivilevich:resources because of anonymity and other security reasons. But
Victoria Kivilevich:since today we are talking about protecting companies using
Victoria Kivilevich:intelligence gained from the Dark Web of course, we will
Victoria Kivilevich:focus on Dark Web sources featuring illegal activity.
Victoria Kivilevich:Moreover, I would prefer to use the term cybercrime ecosystem,
Victoria Kivilevich:which includes not only Dark Web sources, but also other
Victoria Kivilevich:underground communities, which can be accessed in the surface
Victoria Kivilevich:Web. And it is something that you can open from your usual
Victoria Kivilevich:browser and without any authorization. And these sources
Victoria Kivilevich:still contain illegal activities. And it is important
Victoria Kivilevich:not to miss them because they can provide valuable information
Victoria Kivilevich:too. For example, instant messaging platforms that have
Victoria Kivilevich:been seen abused by various cyber criminals for illegal
Victoria Kivilevich:activities. For example, 1000s of telegram channels that sell
Victoria Kivilevich:stolen passports sensitive information, credit cards, and
Victoria Kivilevich:more. If you focus only on Dark Web sources, you can miss this
Victoria Kivilevich:information but it can be very sensitive and important for
Victoria Kivilevich:enterprise defenders. So the Cybercrime ecosystem we are
Victoria Kivilevich:talking about represents a wide variety of goods, products and
Victoria Kivilevich:services offered by and to cyber criminals. It can be physical
Victoria Kivilevich:goods, such as drugs, and guns, and it can be cyber related
Victoria Kivilevich:stuff, for example, logins, databases, malware, tools, and
Victoria Kivilevich:more, which is usually more relevant for defenders from the
Victoria Kivilevich:side of the company. So I think we can talk about that in detail
Victoria Kivilevich:a little later.
Dr. Dave Chatterjee:Sounds good. Sounds great. Yep. I
Dr. Dave Chatterjee:appreciate you making that correction, instead of using the
Dr. Dave Chatterjee:word Dark Web, let's talk about it from the standpoint of a
Dr. Dave Chatterjee:cybercrime ecosystem. Makes a lot of sense. So Victoria,
Dr. Dave Chatterjee:listeners on this podcast, represent a variety of
Dr. Dave Chatterjee:organizations. And I'm sure they have their own threat
Dr. Dave Chatterjee:intelligence gathering and management strategies. I think
Dr. Dave Chatterjee:they will appreciate your insights on what are some good
Dr. Dave Chatterjee:practices for organizations to go to these resources and
Dr. Dave Chatterjee:leverage the intelligence that's out there so that they can
Dr. Dave Chatterjee:proactively prevent potential attacks. What are your thoughts?
Dr. Dave Chatterjee:What are your recommendations to organizations?
Victoria Kivilevich:Sure. So first of all, I just want to
Victoria Kivilevich:highlight why it is important and what is so fascinating about
Victoria Kivilevich:that; that the great thing is that with enough preparation
Victoria Kivilevich:threat intelligence analysts can access the same sources that
Victoria Kivilevich:cyber criminals have access to. And therefore, you can see how
Victoria Kivilevich:your company looks from the cyber criminals' perspective.
Victoria Kivilevich:For example, is it discussed by the cybercriminals as a
Victoria Kivilevich:potential target? What information related to the
Victoria Kivilevich:company's been leaked or traded? Is the company's resource listed
Victoria Kivilevich:as vulnerable to a specific vulnerability? Maybe there is
Victoria Kivilevich:some hacking tutorial that teaches how to abuse your
Victoria Kivilevich:company's service for customer employees? So these are just a
Victoria Kivilevich:few examples of what can be found in cybercrime sources and
Victoria Kivilevich:information about all the above can be found using threat
Victoria Kivilevich:intelligence solutions that automate the process, and so
Victoria Kivilevich:they help to continuously monitor the company's assets in
Victoria Kivilevich:multiple cybercrime sources. And I believe that's the key because
Victoria Kivilevich:you can't just go in the Dark Web once and check what's going
Victoria Kivilevich:on, what's happening regarding your company, and then just
Victoria Kivilevich:leave it. You need to constantly be ahead of the cybercriminals.
Victoria Kivilevich:Of course, you can also use manual investigations within the
Victoria Kivilevich:Dark Web, though it can be a little time consuming because it
Victoria Kivilevich:requires knowledge of the many relevant sources, forums,
Victoria Kivilevich:marketplaces, how to access them, foreign language
Victoria Kivilevich:capabilities, also managing numerous user accounts aliases,
Victoria Kivilevich:having positive reputation and so on and so on. So conducting
Victoria Kivilevich:investigation in the cybercrime ecosystem requires time and
Victoria Kivilevich:effort and some specialized solutions, but it will pay off
Victoria Kivilevich:with valuable information you can get. So, what do we deem as
Victoria Kivilevich:valuable information? It's not only raw data, but also the
Victoria Kivilevich:context. So I believe one of the important steps is trying to
Victoria Kivilevich:evaluate the information that you see in Dark Web, trying to
Victoria Kivilevich:connect the dots, and also to have an established process of
Victoria Kivilevich:how to pass this information to people who make decisions,
Victoria Kivilevich:because this information can just stay in your daily report
Victoria Kivilevich:or it can be the information that will be taken into account.
Dr. Dave Chatterjee:That is so true. In fact, one of the things
Dr. Dave Chatterjee:that I have found in my research that many of the attacks have
Dr. Dave Chatterjee:happened, because the threat intelligence wasn't acted upon.
Dr. Dave Chatterjee:In other words, the threat intelligence was received, it
Dr. Dave Chatterjee:stayed somewhere it didn't get to the right decision makers.
Dr. Dave Chatterjee:So, from a procedural standpoint, from an organization
Dr. Dave Chatterjee:structure standpoint, it's very important that organizations
Dr. Dave Chatterjee:recognize how to manage this intelligence, like you said, one
Dr. Dave Chatterjee:thing is to gather the information, the other thing is
Dr. Dave Chatterjee:to validate it, put it together in a meaningful format, and make
Dr. Dave Chatterjee:it available in a timely manner to the decision makers so they
Dr. Dave Chatterjee:can quickly act on it. And acting doesn't necessarily mean
Dr. Dave Chatterjee:that you have to do something substantive, you can still make
Dr. Dave Chatterjee:a judgment call and say, Okay, that's good to know. But at this
Dr. Dave Chatterjee:point, we want to still continue with the status quo. And we will
Dr. Dave Chatterjee:revisit the situation, maybe in the next few days. So but the
Dr. Dave Chatterjee:important part is that you have reviewed intelligence, you've
Dr. Dave Chatterjee:taken a decision. And I also recommend organizations go a
Dr. Dave Chatterjee:step further, and document this process. So later on, if
Dr. Dave Chatterjee:something were to happen, there is a fallback in this
Dr. Dave Chatterjee:documentation where the executives can reference it and
Dr. Dave Chatterjee:said, Look, we did the due diligence, we made a decision of
Dr. Dave Chatterjee:going a certain way, for these reasons. Unfortunately, we were
Dr. Dave Chatterjee:proven wrong. But our best interests were in place we were
Dr. Dave Chatterjee:we were not acting in an irresponsible manner. So that's
Dr. Dave Chatterjee:great insight. Moving along, you mentioned about kind of the top
Dr. Dave Chatterjee:targets. And let's say, I am representing the security team
Dr. Dave Chatterjee:of my organization. Obviously, I would not want my organization
Dr. Dave Chatterjee:to be a top target. But I would like to know if it is. And so
Dr. Dave Chatterjee:I'm just curious, can you shed some light on what makes for a
Dr. Dave Chatterjee:top target? Yeah, so
Victoria Kivilevich:Essentially, they target any company that can
Victoria Kivilevich:bring some revenue for them, some profits. So I would say
Victoria Kivilevich:there are different types of cyber criminals, and some of
Victoria Kivilevich:them are only attacking companies to further sell this
Victoria Kivilevich:information to other cyber criminals. So they are acting as
Victoria Kivilevich:part of supply chain, it can be due to many reasons. For
Victoria Kivilevich:example, they aren't sophisticated enough to conduct
Victoria Kivilevich:a full scale attack. Maybe some of them are experts in one
Victoria Kivilevich:niche, some just prefer to have stable income, and to sell what
Victoria Kivilevich:they have instead of figuring out how to monetize this data
Victoria Kivilevich:independently. For example, one actor can use phishing tactics
Victoria Kivilevich:to steal personal data, just sell them and receive his money,
Victoria Kivilevich:or he can use this data to conduct identity fraud, which
Victoria Kivilevich:will require more skills and knowledge. For example,
Victoria Kivilevich:unemployment fraud in the US requires an actor to try
Victoria Kivilevich:multiple personal information records, to find the ones that
Victoria Kivilevich:will work for this type of fraud and match the targeted state,
Victoria Kivilevich:file an unemployment claim, bypass identity service, and so
Victoria Kivilevich:on and so on. So logically, the actors who conduct full scale
Victoria Kivilevich:attacks can earn more, since they're stealing money directly
Victoria Kivilevich:from affected individuals or companies or blackmailing them.
Victoria Kivilevich:So I would say that, for the first type of actors, it doesn't
Victoria Kivilevich:really matter, usually, what is the company because all they
Victoria Kivilevich:want is just to gain something and then to sell it to other
Victoria Kivilevich:more skilled cyber criminals. But when we are talking about
Victoria Kivilevich:cyber criminals who conduct the attacks till the end, and they
Victoria Kivilevich:receive money from the victim, for them, it's really important
Victoria Kivilevich:to know the revenue of the company, the sector of the
Victoria Kivilevich:company, and how it can be abused.
Dr. Dave Chatterjee:That's very useful. In fact, if for
Dr. Dave Chatterjee:clarifications sake, you mentioned about a type of threat
Dr. Dave Chatterjee:actor. I think the term might be Initial Access Brokers, but
Dr. Dave Chatterjee:please correct me. These are the folks who are able to compromise
Dr. Dave Chatterjee:networks and sell credentials to other threat actors, such as
Dr. Dave Chatterjee:ransomware operators. Am I correct in using that term
Dr. Dave Chatterjee:Initial Access Brokers?
Victoria Kivilevich:Yes, that's totally correct.
Dr. Dave Chatterjee:Okay. So again, from a organization
Dr. Dave Chatterjee:standpoint, that is trying to protect themselves from getting
Dr. Dave Chatterjee:hurt, from getting attacked, how is the relationship between the
Dr. Dave Chatterjee:Initial Access Brokers and say the ransomware attackers, how is
Dr. Dave Chatterjee:that significant?
Victoria Kivilevich:So it's very significant because Initial
Victoria Kivilevich:Access Brokers play a crucial role in the ransomware economy,
Victoria Kivilevich:and especially in the ransomware-as-a-service economy,
Victoria Kivilevich:which is a model that enables cyber criminals, also known as
Victoria Kivilevich:affiliates, to use ransomware to execute attacks and get share of
Victoria Kivilevich:ransom if the company pays the ransom in the end. So as you've
Victoria Kivilevich:mentioned, Initial Access Brokers sell remote access to a
Victoria Kivilevich:computer in a compromised organization, which is called
Victoria Kivilevich:initial network access. How does it work? First, the broker needs
Victoria Kivilevich:to find an initial infection vector, for example, compromise
Victoria Kivilevich:RDP (Remote Desktop Protocol), or VPN (Virtual Private Network)
Victoria Kivilevich:credentials, then he needs to research an organization, if
Victoria Kivilevich:it's worth the effort, if it's even a company, if it's big
Victoria Kivilevich:enough, if it's interesting? And then he needs to transform it
Victoria Kivilevich:into a wider compromise. For example, achieve higher
Victoria Kivilevich:privileges and then all he needs is to supply access to a buyer,
Victoria Kivilevich:for example, in the form of RDP credentials. So, if this buyer
Victoria Kivilevich:is related to a ransomware operation, he can use it to
Victoria Kivilevich:enter the network, move laterally, and deploy ransomware
Victoria Kivilevich:in all the environment. And initial access phase is already
Victoria Kivilevich:taken care of by Initial Access Broker and it really
Victoria Kivilevich:significantly eases the process and scales the attacks. So of
Victoria Kivilevich:course, ransom operators have other ways of getting access,
Victoria Kivilevich:they rely on phishing campaigns, botnets and more. And likewise,
Victoria Kivilevich:Initial Access Brokers can sell network access to any actor, not
Victoria Kivilevich:only to ransomware actors, they can sell it to financially
Victoria Kivilevich:motivated APTs, which are Advanced Persistent Threat
Victoria Kivilevich:actors usually state-backed, they can sell it to data brokers
Victoria Kivilevich:and any threat actor that has a way to monetize the said access.
Victoria Kivilevich:But as we've seen, Initial Access Brokers and ransomware
Victoria Kivilevich:actors have an established corporation. And that is why
Victoria Kivilevich:essential Initial Access Brokers are an essential part of supply
Victoria Kivilevich:chain for many ransomware operations. That's why it's
Victoria Kivilevich:important to track their offers.
Dr. Dave Chatterjee:Wow, that is so interesting and
Dr. Dave Chatterjee:enlightening. You touched upon the profile of of top targets.
Dr. Dave Chatterjee:If we get more specific and think in terms of ransomware
Dr. Dave Chatterjee:attacks. What is the profile of an ideal ransomware target? Is
Dr. Dave Chatterjee:it different from top targets of initial access brokers?
Victoria Kivilevich:Yeah, that's great question because
Victoria Kivilevich:really, it is a little different. So for Initial Access
Victoria Kivilevich:Brokers usually list some properties of a compromised
Victoria Kivilevich:company, which help other threat actors to understand if this
Victoria Kivilevich:victim is valuable. These properties can include revenue,
Victoria Kivilevich:size (which is number for employees), industry and
Victoria Kivilevich:description of the company. And usually, the bigger the revenue,
Victoria Kivilevich:the more the access costs. But for Initial Access Brokers, it's
Victoria Kivilevich:important only to sell the access. So they do not need to
Victoria Kivilevich:pay a lot of attention to countries and sectors.
Victoria Kivilevich:Essentially, every company that is vulnerable is good for them
Victoria Kivilevich:because they will find a buyer most likely, even if it's not a
Victoria Kivilevich:ransomware attack and then sell it to another criminal. We see
Victoria Kivilevich:that initial access brokers offer a lot of access to
Victoria Kivilevich:universities, but they tend to cost less. And we also seen
Victoria Kivilevich:ransomware actors discuss that the universities, especially not
Victoria Kivilevich:the major ones do not tend to pay ransom. So that's one
Victoria Kivilevich:difference. The same about healthcare institutions. When
Victoria Kivilevich:the pandemic started with some ransomware, the actors said they
Victoria Kivilevich:will not attack medical institutions, but it didn't stop
Victoria Kivilevich:initial access brokers from offering them for sale. So,
Victoria Kivilevich:ransomware actors are more focused, and based on the
Victoria Kivilevich:conditions that they state on various cybercrime forums, we
Victoria Kivilevich:found that an ideal victim ransomware victim is: based in
Victoria Kivilevich:the US, has more than $60 million in revenue, and most
Victoria Kivilevich:likely it's not from education, government and nonprofit sector
Victoria Kivilevich:because it's just not valuable for them. These victims won't
Victoria Kivilevich:pay money, most likely. And we also seen a confirmation of that
Victoria Kivilevich:by a representative of the Lockbit ransomware operation. He
Victoria Kivilevich:said that the insurance in the ransomware sphere is more
Victoria Kivilevich:developed in the US and in Europe, and the largest number
Victoria Kivilevich:of the world's wealthiest companies is concentrated there.
Victoria Kivilevich:So he explained why they are targeting mostly these
Victoria Kivilevich:countries. Interestingly, the actors define not only the
Victoria Kivilevich:desired revenue and country, but also type of access, and it can
Victoria Kivilevich:be very beneficial for enterprise defenders. So first
Victoria Kivilevich:of all, you can understand if your company is a potential
Victoria Kivilevich:target, but I know it sounds too wide, because essentially, any
Victoria Kivilevich:medium sized or big profitable company is a target. So what is
Victoria Kivilevich:more interesting is the type of access which sheds light at some
Victoria Kivilevich:TTPs (Tactics, Techniques, and Procedures) of ransomware
Victoria Kivilevich:attackers as desired type of access, they state is RDP and
Victoria Kivilevich:VPN, and it should trigger enterprise defenders to pay more
Victoria Kivilevich:attention to these solutions and securing them. For example,
Victoria Kivilevich:enabling two factor authentication for VPN
Victoria Kivilevich:connections. Also, the actors name, specific products they are
Victoria Kivilevich:targeting to ease their attack. Some names that we've seen --
Victoria Kivilevich:Citrix, Fortinet, Cisco, Pulse Secure VPNs and other solutions.
Victoria Kivilevich:When seeing this requirements, any defender can identify the
Victoria Kivilevich:threat more correctly, and pay attention if these products are
Victoria Kivilevich:used in the environment, and if they should pay more attention
Victoria Kivilevich:to patching them and securing them. And what is the most
Victoria Kivilevich:interesting that when studying Initial Access Brokers and
Victoria Kivilevich:ransomware attackers, we can understand specific
Victoria Kivilevich:vulnerabilities used by actors. For example, we've seen one
Victoria Kivilevich:actor sharing his entire process of getting into the network. And
Victoria Kivilevich:he mentioned the use of an automated script -- a program
Victoria Kivilevich:which weaponizes one of the vulnerabilities in Pulse Connect
Victoria Kivilevich:Secure VPNs. And if not patched, this flaw can be used by
Victoria Kivilevich:different actors to attack the network and cause different
Victoria Kivilevich:separate attacks. And it can be not only one actor, if someone
Victoria Kivilevich:attacked you using one flaw, now the actor can also find this and
Victoria Kivilevich:use it for a separate attack. So you can become a double victim.
Dr. Dave Chatterjee:Very interesting. Now, as you talk
Dr. Dave Chatterjee:about ransomware attackers and victims, my thought goes to
Dr. Dave Chatterjee:organizations that are often double victims. And my research
Dr. Dave Chatterjee:finds that these are the organizations who have paid
Dr. Dave Chatterjee:once. And so there's the intelligence out there that
Dr. Dave Chatterjee:they'll probably pay again, that's one way of thinking about
Dr. Dave Chatterjee:double victims. Another way of thinking about double victims is
Dr. Dave Chatterjee:the attackers, the ransomware attackers these days, they not
Dr. Dave Chatterjee:only steal your data and encrypt your network your systems, but
Dr. Dave Chatterjee:they're also selling the data. So even if you regain access to
Dr. Dave Chatterjee:your network, that is not a guarantee that your data is not
Dr. Dave Chatterjee:already out there in one of the Dark Web resources being sold to
Dr. Dave Chatterjee:some other threat actor. So what advice do you have for
Dr. Dave Chatterjee:organizations from the standpoint of avoiding becoming
Dr. Dave Chatterjee:double victims?
Victoria Kivilevich:So I would say that the most important
Victoria Kivilevich:point is to properly investigate the incidents because a company
Victoria Kivilevich:can become a double victim if different actors use one entry
Victoria Kivilevich:vector that wasn't secured after the first attack. So proper
Victoria Kivilevich:investigation and acting using the results of the investigation
Victoria Kivilevich:is essential. And of course, the company should have some
Victoria Kivilevich:established practice. For example, cybersecurity awareness
Victoria Kivilevich:and training for all key stakeholders and employees. All
Victoria Kivilevich:key individuals should know how to safely use their credentials
Victoria Kivilevich:and personal information online. Also, there should be of course,
Victoria Kivilevich:an established process of vulnerability monitoring and
Victoria Kivilevich:patching because you should continually protect all the
Victoria Kivilevich:network infrastructure and prevent any unauthorized access
Victoria Kivilevich:either by Initial Access Brokers or other cyber criminals. And of
Victoria Kivilevich:course, the automated and targeted monitoring of key
Victoria Kivilevich:assets in cybercrime ecosystem can help to immediately detect
Victoria Kivilevich:threats emerging from the cybercrime system. I just want
Victoria Kivilevich:maybe to show an example of two attacks that started in Dark Web
Victoria Kivilevich:and then evolved into full scale attack. For example, in June
Victoria Kivilevich:2021, the hack of Electronic Arts, a video game company, it
Victoria Kivilevich:began with hackers who purchased stolen cookies sold online for
Victoria Kivilevich:just $10 on Genesis market, which is a market of information
Victoria Kivilevich:stolen via information stealing malware. So, cookie is something
Victoria Kivilevich:that can save the login details of particular users, and
Victoria Kivilevich:potentially allowed hackers to log into services as that
Victoria Kivilevich:person. And this is what these specific hackers did. They use
Victoria Kivilevich:these credentials to gain access to a Slack channel used in
Victoria Kivilevich:Electronic Arts. Once in the Slack channel, they tricked one
Victoria Kivilevich:of their employees to provide a multi factor authentication
Victoria Kivilevich:token, they just messaged their IT support members. And they
Victoria Kivilevich:said that they lost their phone and the party. And that's why
Victoria Kivilevich:they need another certification token. And once they received
Victoria Kivilevich:this token they logged into into a corporate network. And then
Victoria Kivilevich:they found the service for developers that they use to
Victoria Kivilevich:compile games. And then they just stole game source code,
Victoria Kivilevich:which is, of course very valuable for the video gaming
Victoria Kivilevich:company. And they said they had almost 800 gigabytes of data.
Victoria Kivilevich:And they were advertising it for sale on various underground
Victoria Kivilevich:forums. So if this cookie had not been bought from this
Victoria Kivilevich:underground market, maybe the attack would not have happened.
Victoria Kivilevich:And of course, as we were talking about Initial Access
Victoria Kivilevich:Brokers and ransomware attacks, we have also seen a lot of
Victoria Kivilevich:examples of an attack that started from network access, and
Victoria Kivilevich:continued into full scale ransom attack. From what we've seen,
Victoria Kivilevich:one of the examples is very interesting, because it was
Victoria Kivilevich:confirmed by the company's investigation. We saw the
Victoria Kivilevich:Initial Access Broker offering data offering initial network
Victoria Kivilevich:access to the company, we were identified as Gyrodata. It's a
Victoria Kivilevich:US based energy company. He offered the access on January
Victoria Kivilevich:16. Two days later, the actor declared the access was sold.
Victoria Kivilevich:And one month later on February 20, the operators of Darkside
Victoria Kivilevich:ransomware published a blog post claiming to have compromised the
Victoria Kivilevich:same company. So logically, we assumed it's one attack. And
Victoria Kivilevich:then we saw the Gyrodata data investigation. And it confirmed
Victoria Kivilevich:our findings because they said that the unauthorized actor
Victoria Kivilevich:gained access to certain systems and related data within the
Victoria Kivilevich:company's environment from approximately January 16 to
Victoria Kivilevich:February 22. So this is the same timeline. And we have seen a lot
Victoria Kivilevich:of examples. And we have identified at least five
Victoria Kivilevich:ransomware operations, most of them managed by Russian speaking
Victoria Kivilevich:actors who are buying accesses from initial access brokers and
Victoria Kivilevich:using this access in their attacks. For example, LockBit,
Victoria Kivilevich:Avaddon Darkside, Conti, BlackByte. So you can ask me,
Victoria Kivilevich:Why is it even valuable? Why should we follow this this
Victoria Kivilevich:information? Because, as we've seen, from the moment the access
Victoria Kivilevich:is listed on sale, it takes on average one month to attack the
Victoria Kivilevich:company to try to have negotiations and then to publish
Victoria Kivilevich:its name on the ransomware blog, if the negotiations fail. So it
Victoria Kivilevich:means that a network access victim has a few days, sometimes
Victoria Kivilevich:even weeks to understand that it's compromised and to secure
Victoria Kivilevich:the access to find this unauthorized access, and to
Victoria Kivilevich:prevent a future attack.
Dr. Dave Chatterjee:Very interesting. Thank you for
Dr. Dave Chatterjee:providing us with these great examples. Now, let me present
Dr. Dave Chatterjee:you with a scenario. An attacker approaches an organization and
Dr. Dave Chatterjee:they say that they have the organization's data. And
Dr. Dave Chatterjee:obviously they're asking for money. What kinds of checks
Dr. Dave Chatterjee:should the organization engage in to verify if the threat is a
Dr. Dave Chatterjee:real one?
Victoria Kivilevich:It's an excellent question, because we
Victoria Kivilevich:do see a lot of actors that try to pretend they're skilled
Victoria Kivilevich:actors. But in reality, they are just some beginners that trying
Victoria Kivilevich:to gain easy profits. So, it is really important to first
Victoria Kivilevich:understand context. And second, ask for proof, for example,
Victoria Kivilevich:someone approaches you and says your vendor was attacked, and
Victoria Kivilevich:your data was stolen. So there is a lot of actors that just
Victoria Kivilevich:prey on data breaches that already that already happened,
Victoria Kivilevich:and they can use them to intimidate you and ask for
Victoria Kivilevich:ransom without having any data. So in this case, it is important
Victoria Kivilevich:to understand if such email is even in TTPs of a specific
Victoria Kivilevich:group, do they really inform clients of an attacked company
Victoria Kivilevich:about the breach? We had such case with a-Clop ransomware and
Victoria Kivilevich:we confirmed that this is a genuine email that they really
Victoria Kivilevich:send emails to all the vendors, partners and clients to
Victoria Kivilevich:intimidate the company, but easily it could be another
Victoria Kivilevich:ransomware gang that doesn't have it in its TTPs. And then
Victoria Kivilevich:you need to go further. What do I mean by going further is to
Victoria Kivilevich:understand what proof do you have because I have an excellent
Victoria Kivilevich:example with Conti that you mentioned -- the ransom
Victoria Kivilevich:operation which made a lot of headlines. We have visibility in
Victoria Kivilevich:their TTPs, thanks to recent leak of their internal
Victoria Kivilevich:information. So as a response to the Conti's runs support of the
Victoria Kivilevich:Russian invasion of Ukraine, a suspected Ukrainian researcher
Victoria Kivilevich:just leaked internal conversations of its members.
Victoria Kivilevich:And it gave us a lot of valuable informations. For example, we
Victoria Kivilevich:found that Conti, respected known operation frequently lies
Victoria Kivilevich:to victims about the stolen data, they insist they have more
Victoria Kivilevich:than what's actually stolen. I've seen an example that they
Victoria Kivilevich:discussed some company from Canada, and one of the Conti
Victoria Kivilevich:workers complained to a high profile member of Conti, that he
Victoria Kivilevich:could not find files requested by the victim. And he claimed
Victoria Kivilevich:that the team that was attacking the network didn't download all
Victoria Kivilevich:the files from the file tree. So they demonstrated this file tree
Victoria Kivilevich:to the victim. And it was a huge file tree. And the victim, of
Victoria Kivilevich:course, was persuaded that they have a lot of data. But it
Victoria Kivilevich:wasn't true. It was another example, we've seen, the same
Victoria Kivilevich:actor said that only eight gigabytes of data were stolen
Victoria Kivilevich:from the network. Of course, in negotiations, they said it was a
Victoria Kivilevich:lot more. And in the end, this victim paid ransom, and it was
Victoria Kivilevich:over $1 million. So over $1 million for 8 gigabytes of
Victoria Kivilevich:files, and they didn't know it. And, as you've said, the
Victoria Kivilevich:ransomware actors usually say that, of course, after receiving
Victoria Kivilevich:the money, we will delete all information that we have. So
Victoria Kivilevich:what they did, they didn't send any any proof after being paid.
Victoria Kivilevich:They just said that we deleted all the data, all the logs. And
Victoria Kivilevich:that's it. So the proof is very important. Second step after
Victoria Kivilevich:trying to understand what's the context, what is the background
Victoria Kivilevich:of the attacker, if you have an opportunity to interact with the
Victoria Kivilevich:attacker, you need to ask for proofs. First of all, these
Victoria Kivilevich:proofs can help you to understand what data was taken.
Victoria Kivilevich:And if it even was taken. And second, maybe it will give you
Victoria Kivilevich:some insights about what tools were used to compromise your
Victoria Kivilevich:network, maybe what specific software was compromised,
Victoria Kivilevich:because when the actor sends proof, they can accidentally
Victoria Kivilevich:leave some information that will lead you to securing your
Victoria Kivilevich:environment and find the unauthorized access that the
Victoria Kivilevich:attackers have.
Dr. Dave Chatterjee:Very insightful. Thank you. Again,
Dr. Dave Chatterjee:this is very, very useful information that I know many
Dr. Dave Chatterjee:organizations can benefit from. So you talked about the Conti
Dr. Dave Chatterjee:Group, I'm sure there are many players out there. And you are
Dr. Dave Chatterjee:the expert in this area. Is it important that organizations
Dr. Dave Chatterjee:make a concerted focused effort to learn about each of these
Dr. Dave Chatterjee:groups? Because I see this as a never ending proposition because
Dr. Dave Chatterjee:these groups are are evolving, they're appearing maybe some
Dr. Dave Chatterjee:disappear, it almost seems that an organization needs to have a
Dr. Dave Chatterjee:team that solely focuses on monitoring this ecosystem
Dr. Dave Chatterjee:monitoring these new players, existing players, that's a lot
Dr. Dave Chatterjee:of activity. What are your thoughts? What is your advice,
Dr. Dave Chatterjee:how best to try and get your hands around all that's going
Dr. Dave Chatterjee:on, in as you call it, the cybercrime ecosystem?
Victoria Kivilevich:So of course, each company should have
Victoria Kivilevich:a team that is focused on securing the company's assets.
Victoria Kivilevich:Of course, studying the ecosystem is another step, which
Victoria Kivilevich:provides a lot of valuable information. But I understand
Victoria Kivilevich:that some companies doesn't have resources for that. So there is
Victoria Kivilevich:a lot of companies that publish open source, open research that
Victoria Kivilevich:you can access. And this is something that you need to
Victoria Kivilevich:follow, because, as you've said, the groups are appearing and
Victoria Kivilevich:disappearing. And maybe the name is not important, so much for
Victoria Kivilevich:enterprise defenders, but TTPs, and what tools they're using,
Victoria Kivilevich:that is really important. And as I mentioned, with the Conti
Victoria Kivilevich:leak, sometimes it happens that accidentally or thanks to
Victoria Kivilevich:efforts of researchers, we get our hands on information that
Victoria Kivilevich:can be very valuable. And that is, if we're speaking, for
Victoria Kivilevich:example, about ransomware-as-a-service, that is
Victoria Kivilevich:a flaw in their operation because they have a lot of
Victoria Kivilevich:people in the team. Of course, it raises so called insider
Victoria Kivilevich:threat, something happens, an affiliate is not happy with the
Victoria Kivilevich:conditions that he got. And he can just reveal all the manuals
Victoria Kivilevich:of the ransomware operation on one of the forums. And that is
Victoria Kivilevich:why following on this news is very important, because you can
Victoria Kivilevich:just receive a tutorial how ransomware attacker could breach
Victoria Kivilevich:into your network from the beginning what tools they can
Victoria Kivilevich:use, even what infrastructure. Because we spoke a lot about
Victoria Kivilevich:Conti, I cannot not to mention that they allegedly shut down
Victoria Kivilevich:their operations. And they separated into smaller units. So
Victoria Kivilevich:we can expect a lot of new gangs using these old methods. And of
Victoria Kivilevich:course, they can also use new methods because even among
Victoria Kivilevich:different teams in one ransomware groups, the TTPs may
Victoria Kivilevich:differ. So it's crucial to track it since they can use both new
Victoria Kivilevich:methods and all successful tricks which includes
Victoria Kivilevich:infrastructure, which includes supply chain, the same Initial
Victoria Kivilevich:Access Brokers that we've seen, being used by Conti in this
Victoria Kivilevich:internal leaks. They said, they found them on forums, they were
Victoria Kivilevich:actually exchanging messages like, "Hey, I've seen this guy
Victoria Kivilevich:on the forum, I think we should work with him." So it means that
Victoria Kivilevich:new groups can also leverage the same Initial Access Brokers. And
Victoria Kivilevich:even if attackers tried to hide their identity and not to
Victoria Kivilevich:contact the sellers directly, for example, we can still see
Victoria Kivilevich:these suppliers in cybercrime sources. And we can still
Victoria Kivilevich:evaluate how specific company looks in the eyes of attackers
Victoria Kivilevich:and what he can use to attack. So unlucky for us, the
Victoria Kivilevich:cybercrime ecosystem will unlikely disappear. But luckily
Victoria Kivilevich:for us, we can have almost the same visibility into these
Victoria Kivilevich:threats as potential attackers.
Dr. Dave Chatterjee:That is so true. And as you were, you were
Dr. Dave Chatterjee:discussing so many different topics in the context of how to
Dr. Dave Chatterjee:leverage the intelligence from these dark groups, if I may, if
Dr. Dave Chatterjee:I had to summarize some of my takeaways from this discussion.
Dr. Dave Chatterjee:First and foremost, organizations can't afford to
Dr. Dave Chatterjee:ignore these very valuable resources. As we have discussed
Dr. Dave Chatterjee:previously, during our planning meetings, it may not be easy for
Dr. Dave Chatterjee:organizations to gain access to these resources. So they may
Dr. Dave Chatterjee:have to deploy intermediaries who can gain access on their
Dr. Dave Chatterjee:behalf, and keep them posted on a regular basis on all kinds of
Dr. Dave Chatterjee:intelligence, whether that organization is a target or not,
Dr. Dave Chatterjee:what are the types of attacks that they should be prepared
Dr. Dave Chatterjee:for. So it's a constant exercise that a company needs to engage
Dr. Dave Chatterjee:in, they need to have the right teams in place, who are
Dr. Dave Chatterjee:monitoring the intelligence who are sharing reporting the
Dr. Dave Chatterjee:intelligence, and they're also people in place who are
Dr. Dave Chatterjee:reviewing it, and responding to the intelligence as soon as
Dr. Dave Chatterjee:possible. Because, you can gather all the intelligence in
Dr. Dave Chatterjee:the world, but if you don't act on it, then what's the point,
Dr. Dave Chatterjee:which is unfortunately, the case, in many, many
Dr. Dave Chatterjee:organizations, it happens quite a lot. So this is a lot of great
Dr. Dave Chatterjee:information, Victoria. Really enjoyed this conversation. But
Dr. Dave Chatterjee:I'd like to give you the final opportunity to conclude with
Dr. Dave Chatterjee:some some final thoughts, some final takeaways for the
Dr. Dave Chatterjee:audience. Yeah, so
Victoria Kivilevich:All that you said, is totally great
Victoria Kivilevich:summarizing what I've been telling about. I would like just
Victoria Kivilevich:to add that, as you mentioned, it is really important to
Victoria Kivilevich:document all of the investigations and threat
Victoria Kivilevich:intelligence. And I would also say it's really important to
Victoria Kivilevich:filter the noise because there is a lot of threats that seem to
Victoria Kivilevich:be threats. But in the end, you understand that it's not that
Victoria Kivilevich:it's not something that is dangerous for your organization.
Victoria Kivilevich:And if you document it, maybe the next time you don't need to
Victoria Kivilevich:dedicate all this time and effort on the second time to try
Victoria Kivilevich:to understand if it's something dangerous. And summarizing why
Victoria Kivilevich:why the cybercrime ecosystem is so important. It's because
Victoria Kivilevich:nowadays the typical cyber criminal does not work on his
Victoria Kivilevich:own. Even the most basic criminal business requires
Victoria Kivilevich:different tools, services, and all of them are available for
Victoria Kivilevich:purchase on the cybercrime forums. Also, the cybercrime
Victoria Kivilevich:ecosystem shifted towards something we call
Victoria Kivilevich:everything-as-a-service model, meaning instead of just
Victoria Kivilevich:purchasing tools, and then conducting attacks, any threat
Victoria Kivilevich:actor can employ any number of services to receive needed
Victoria Kivilevich:information. For example, if a threat actor wants to conduct
Victoria Kivilevich:some form of identity fraud, meaning to impersonate a person
Victoria Kivilevich:to receive profits, they can easily purchase personal
Victoria Kivilevich:information, protected health information, and identification
Victoria Kivilevich:documents instead of trying to receive it by themselves. So
Victoria Kivilevich:such automation has two primary consequences. Firstly, it lowers
Victoria Kivilevich:the level of sophistication and technical knowledge required by
Victoria Kivilevich:typical cyber criminals, which of course, raises the number of
Victoria Kivilevich:attacks. And secondly, it resulted in hundreds of
Victoria Kivilevich:organized cyber criminal groups, which specialize and provide
Victoria Kivilevich:services to other cyber criminals. So this is the whole
Victoria Kivilevich:ecsystem that you can find anything in it, and most likely
Victoria Kivilevich:you will find something connected to a company. And then
Victoria Kivilevich:it is up to you. And this is your next step. To build a
Victoria Kivilevich:proper process of reacting to this raw data and turning it
Victoria Kivilevich:into threat intelligence into actionable threat intelligence
Victoria Kivilevich:can be used to secure your organization.
Dr. Dave Chatterjee:Thank you so much, Victoria. It has been
Dr. Dave Chatterjee:such a pleasure.
Victoria Kivilevich:Pleasure for me too. Thank you.
Dr. Dave Chatterjee:A special thanks to Victoria Kivilevich
Dr. Dave Chatterjee:for her time and insights. If you like what you heard, please
Dr. Dave Chatterjee:leave the podcast a rating and share it with your network. Also
Dr. Dave Chatterjee:subscribe to the show, so you don't miss any new episodes.
Dr. Dave Chatterjee:Thank you for listening, and I'll see you in the next
Dr. Dave Chatterjee:episode.
Introducer:The information contained in this podcast is for
Introducer:general guidance only. The discussants assume no
Introducer:responsibility or liability for any errors or omissions in the
Introducer:content of this podcast. The information contained in this
Introducer:podcast is provided on an as is basis with no guarantee of
Introducer:completeness, accuracy, usefulness, or timeliness. The
Introducer:opinions and recommendations expressed in this podcast are
Introducer:those of the discussants and not of any organization.