Episode 27

Actionable Threat Intelligence and the Dark Web

In a recent news release, Reuters reported that "United States has offered a $15 million reward for information on Conti ransomware group. The FBI estimates that more than 1,000 victims of the Conti group have paid a total in excess of $150 million in ransomware payments."  Victoria Kivilevich, Director of Threat Research at KELA Group, describes the cybercrime ecosystem and provides guidance on how to gain and leverage actionable intelligence from dark and deep web resources.


Time Stamps

00:41 -- Let's begin by providing listeners an overview of the Dark Web. So Victoria, what is the Dark Web?

04:09 -- What are some good practices for organizations to leverage intelligence from Dark Web type resources to proactively prevent potential attacks? What are your thoughts? What are your recommendations?

07:02 -- Let's say, I am representing the security team of my organization. Obviously, I would not want my organization to be a top target. But I would like to know if it is. Shed some light on what makes for a top target?

11:13 -- From an organization's standpoint, how is the relationship between the Initial Access Brokers and say the ransomware attackers significant?

13:27 -- What is the profile of an ideal ransomware target? Is it different from the top targets of Initial Access Brokers?

17:29 -- What advice do you have for organizations from the standpoint of avoiding becoming double victims?

22:54 -- Now, let me present you with a scenario. An attacker approaches an organization and says that they have the organization's data. Obviously, they're asking for money. How should the organization evaluate the genuineness of the threat?

26:53 -- It almost seems that an organization needs to have a team that solely focuses on monitoring the cybercrime ecosystem. What are your thoughts and advice?

30:42 -- What are your final thoughts?


Memorable Victoria Kivilevich Quotes

"I believe one of the important steps is to evaluate the genuineness of the information that you see on the Dark Web and other cybercrime sources, connect the dots, and also have in place an established process of passing on the intelligence to people who make decisions."

"An ideal ransomware victim is based in the US, has more than $60 million in revenue, and most likely is not from education, government, or the nonprofit sector, because it's just not valuable for the ransomware attackers."

"From the moment the access credentials are listed for sale, it takes on average one month to attack the company, try and have negotiations, and then publish the company name on the ransomware blog if the negotiations fail."

"So unluckily for us, the cybercrime ecosystem will unlikely disappear. But luckily for us, we can have almost the same visibility into the attack surfaces as potential attackers."


Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast

Please subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.

Connect with Dr. Chatterjee on these platforms:

LinkedIn: https://www.linkedin.com/in/dchatte/

Website: https://dchatte.com/

Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

Transcript
Introducer:

Welcome to the Cybersecurity Readiness Podcast

Introducer:

Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of

Cybersecurity Readiness:

A Holistic and High-Performance

Cybersecurity Readiness:

Approach. He has been studying cybersecurity for over a decade,

Cybersecurity Readiness:

authored and edited scholarly papers, delivered talks,

Cybersecurity Readiness:

conducted webinars, consulted with companies, and served on a

Cybersecurity Readiness:

cybersecurity SWAT team with Chief Information Security

Cybersecurity Readiness:

officers. Dr. Chatterjee is an Associate Professor of

Cybersecurity Readiness:

Management Information Systems at the Terry College of

Cybersecurity Readiness:

Business, the University of Georgia and Visiting Professor

Cybersecurity Readiness:

at Duke University's Pratt School of Engineering.

Dr. Dave Chatterjee:

Hello, everyone. I'm delighted to

Dr. Dave Chatterjee:

welcome you to this episode of the Cybersecurity Readiness

Dr. Dave Chatterjee:

Podcast Series. Our discussion today will revolve around

Dr. Dave Chatterjee:

gathering and leveraging threat intelligence. Victoria

Dr. Dave Chatterjee:

Kivilevich, Director of Threat Research at KELA Group will shed

Dr. Dave Chatterjee:

light on the subject. KELA Group is a global leader in

Dr. Dave Chatterjee:

providing threat intelligence services. So Victoria, welcome.

Victoria Kivilevich:

Hi, it's a pleasure.

Dr. Dave Chatterjee:

To set the stage for our discussion, in a

Dr. Dave Chatterjee:

recent news release, Reuters reported that United States has

Dr. Dave Chatterjee:

offered a $15 million reward for information on the Conti

Dr. Dave Chatterjee:

ransomware group. The Conti ransomware group is being blamed

Dr. Dave Chatterjee:

for cyber extortion attacks worldwide. The FBI estimates

Dr. Dave Chatterjee:

that more than 1000 victims of the Conti Group have paid a

Dr. Dave Chatterjee:

total in excess of $150 million in ransomware payments. We will

Dr. Dave Chatterjee:

talk about the Conti Group and more. But let's begin by

Dr. Dave Chatterjee:

providing listeners an overview of the Dark Web. So Victoria,

Dr. Dave Chatterjee:

what is the Dark Web.

Victoria Kivilevich:

So technically, Dark Web is a part

Victoria Kivilevich:

of the internet that isn't indexed by search engines, and

Victoria Kivilevich:

that requires some specific software, configurations or

Victoria Kivilevich:

other means to access it. And apart from Deep Web, which

Victoria Kivilevich:

includes all non-indexed and non-public facing pages -- for

Victoria Kivilevich:

example, intranet or some paywall- protected pages --

Victoria Kivilevich:

apart from that, Dark Web is intentionally hidden and it can

Victoria Kivilevich:

be accessed only via the browser, which is called Tor

Victoria Kivilevich:

(The Onion Router). And Dark Web is often associated with illegal

Victoria Kivilevich:

and cybercrime activities. And it's true, but it's important to

Victoria Kivilevich:

remember that some legitimate platforms are also located in

Victoria Kivilevich:

the Tor network. There are people who prefer to use such

Victoria Kivilevich:

resources because of anonymity and other security reasons. But

Victoria Kivilevich:

since today we are talking about protecting companies using

Victoria Kivilevich:

intelligence gained from the Dark Web of course, we will

Victoria Kivilevich:

focus on Dark Web sources featuring illegal activity.

Victoria Kivilevich:

Moreover, I would prefer to use the term cybercrime ecosystem,

Victoria Kivilevich:

which includes not only Dark Web sources, but also other

Victoria Kivilevich:

underground communities, which can be accessed in the surface

Victoria Kivilevich:

Web. And it is something that you can open from your usual

Victoria Kivilevich:

browser and without any authorization. And these sources

Victoria Kivilevich:

still contain illegal activities. And it is important

Victoria Kivilevich:

not to miss them because they can provide valuable information

Victoria Kivilevich:

too. For example, instant messaging platforms that have

Victoria Kivilevich:

been seen abused by various cyber criminals for illegal

Victoria Kivilevich:

activities. For example, 1000s of telegram channels that sell

Victoria Kivilevich:

stolen passports sensitive information, credit cards, and

Victoria Kivilevich:

more. If you focus only on Dark Web sources, you can miss this

Victoria Kivilevich:

information but it can be very sensitive and important for

Victoria Kivilevich:

enterprise defenders. So the Cybercrime ecosystem we are

Victoria Kivilevich:

talking about represents a wide variety of goods, products and

Victoria Kivilevich:

services offered by and to cyber criminals. It can be physical

Victoria Kivilevich:

goods, such as drugs, and guns, and it can be cyber related

Victoria Kivilevich:

stuff, for example, logins, databases, malware, tools, and

Victoria Kivilevich:

more, which is usually more relevant for defenders from the

Victoria Kivilevich:

side of the company. So I think we can talk about that in detail

Victoria Kivilevich:

a little later.

Dr. Dave Chatterjee:

Sounds good. Sounds great. Yep. I

Dr. Dave Chatterjee:

appreciate you making that correction, instead of using the

Dr. Dave Chatterjee:

word Dark Web, let's talk about it from the standpoint of a

Dr. Dave Chatterjee:

cybercrime ecosystem. Makes a lot of sense. So Victoria,

Dr. Dave Chatterjee:

listeners on this podcast, represent a variety of

Dr. Dave Chatterjee:

organizations. And I'm sure they have their own threat

Dr. Dave Chatterjee:

intelligence gathering and management strategies. I think

Dr. Dave Chatterjee:

they will appreciate your insights on what are some good

Dr. Dave Chatterjee:

practices for organizations to go to these resources and

Dr. Dave Chatterjee:

leverage the intelligence that's out there so that they can

Dr. Dave Chatterjee:

proactively prevent potential attacks. What are your thoughts?

Dr. Dave Chatterjee:

What are your recommendations to organizations?

Victoria Kivilevich:

Sure. So first of all, I just want to

Victoria Kivilevich:

highlight why it is important and what is so fascinating about

Victoria Kivilevich:

that; that the great thing is that with enough preparation

Victoria Kivilevich:

threat intelligence analysts can access the same sources that

Victoria Kivilevich:

cyber criminals have access to. And therefore, you can see how

Victoria Kivilevich:

your company looks from the cyber criminals' perspective.

Victoria Kivilevich:

For example, is it discussed by the cybercriminals as a

Victoria Kivilevich:

potential target? What information related to the

Victoria Kivilevich:

company's been leaked or traded? Is the company's resource listed

Victoria Kivilevich:

as vulnerable to a specific vulnerability? Maybe there is

Victoria Kivilevich:

some hacking tutorial that teaches how to abuse your

Victoria Kivilevich:

company's service for customer employees? So these are just a

Victoria Kivilevich:

few examples of what can be found in cybercrime sources and

Victoria Kivilevich:

information about all the above can be found using threat

Victoria Kivilevich:

intelligence solutions that automate the process, and so

Victoria Kivilevich:

they help to continuously monitor the company's assets in

Victoria Kivilevich:

multiple cybercrime sources. And I believe that's the key because

Victoria Kivilevich:

you can't just go in the Dark Web once and check what's going

Victoria Kivilevich:

on, what's happening regarding your company, and then just

Victoria Kivilevich:

leave it. You need to constantly be ahead of the cybercriminals.

Victoria Kivilevich:

Of course, you can also use manual investigations within the

Victoria Kivilevich:

Dark Web, though it can be a little time consuming because it

Victoria Kivilevich:

requires knowledge of the many relevant sources, forums,

Victoria Kivilevich:

marketplaces, how to access them, foreign language

Victoria Kivilevich:

capabilities, also managing numerous user accounts aliases,

Victoria Kivilevich:

having positive reputation and so on and so on. So conducting

Victoria Kivilevich:

investigation in the cybercrime ecosystem requires time and

Victoria Kivilevich:

effort and some specialized solutions, but it will pay off

Victoria Kivilevich:

with valuable information you can get. So, what do we deem as

Victoria Kivilevich:

valuable information? It's not only raw data, but also the

Victoria Kivilevich:

context. So I believe one of the important steps is trying to

Victoria Kivilevich:

evaluate the information that you see in Dark Web, trying to

Victoria Kivilevich:

connect the dots, and also to have an established process of

Victoria Kivilevich:

how to pass this information to people who make decisions,

Victoria Kivilevich:

because this information can just stay in your daily report

Victoria Kivilevich:

or it can be the information that will be taken into account.

Dr. Dave Chatterjee:

That is so true. In fact, one of the things

Dr. Dave Chatterjee:

that I have found in my research that many of the attacks have

Dr. Dave Chatterjee:

happened, because the threat intelligence wasn't acted upon.

Dr. Dave Chatterjee:

In other words, the threat intelligence was received, it

Dr. Dave Chatterjee:

stayed somewhere it didn't get to the right decision makers.

Dr. Dave Chatterjee:

So, from a procedural standpoint, from an organization

Dr. Dave Chatterjee:

structure standpoint, it's very important that organizations

Dr. Dave Chatterjee:

recognize how to manage this intelligence, like you said, one

Dr. Dave Chatterjee:

thing is to gather the information, the other thing is

Dr. Dave Chatterjee:

to validate it, put it together in a meaningful format, and make

Dr. Dave Chatterjee:

it available in a timely manner to the decision makers so they

Dr. Dave Chatterjee:

can quickly act on it. And acting doesn't necessarily mean

Dr. Dave Chatterjee:

that you have to do something substantive, you can still make

Dr. Dave Chatterjee:

a judgment call and say, Okay, that's good to know. But at this

Dr. Dave Chatterjee:

point, we want to still continue with the status quo. And we will

Dr. Dave Chatterjee:

revisit the situation, maybe in the next few days. So but the

Dr. Dave Chatterjee:

important part is that you have reviewed intelligence, you've

Dr. Dave Chatterjee:

taken a decision. And I also recommend organizations go a

Dr. Dave Chatterjee:

step further, and document this process. So later on, if

Dr. Dave Chatterjee:

something were to happen, there is a fallback in this

Dr. Dave Chatterjee:

documentation where the executives can reference it and

Dr. Dave Chatterjee:

said, Look, we did the due diligence, we made a decision of

Dr. Dave Chatterjee:

going a certain way, for these reasons. Unfortunately, we were

Dr. Dave Chatterjee:

proven wrong. But our best interests were in place we were

Dr. Dave Chatterjee:

we were not acting in an irresponsible manner. So that's

Dr. Dave Chatterjee:

great insight. Moving along, you mentioned about kind of the top

Dr. Dave Chatterjee:

targets. And let's say, I am representing the security team

Dr. Dave Chatterjee:

of my organization. Obviously, I would not want my organization

Dr. Dave Chatterjee:

to be a top target. But I would like to know if it is. And so

Dr. Dave Chatterjee:

I'm just curious, can you shed some light on what makes for a

Dr. Dave Chatterjee:

top target? Yeah, so

Victoria Kivilevich:

Essentially, they target any company that can

Victoria Kivilevich:

bring some revenue for them, some profits. So I would say

Victoria Kivilevich:

there are different types of cyber criminals, and some of

Victoria Kivilevich:

them are only attacking companies to further sell this

Victoria Kivilevich:

information to other cyber criminals. So they are acting as

Victoria Kivilevich:

part of supply chain, it can be due to many reasons. For

Victoria Kivilevich:

example, they aren't sophisticated enough to conduct

Victoria Kivilevich:

a full scale attack. Maybe some of them are experts in one

Victoria Kivilevich:

niche, some just prefer to have stable income, and to sell what

Victoria Kivilevich:

they have instead of figuring out how to monetize this data

Victoria Kivilevich:

independently. For example, one actor can use phishing tactics

Victoria Kivilevich:

to steal personal data, just sell them and receive his money,

Victoria Kivilevich:

or he can use this data to conduct identity fraud, which

Victoria Kivilevich:

will require more skills and knowledge. For example,

Victoria Kivilevich:

unemployment fraud in the US requires an actor to try

Victoria Kivilevich:

multiple personal information records, to find the ones that

Victoria Kivilevich:

will work for this type of fraud and match the targeted state,

Victoria Kivilevich:

file an unemployment claim, bypass identity service, and so

Victoria Kivilevich:

on and so on. So logically, the actors who conduct full scale

Victoria Kivilevich:

attacks can earn more, since they're stealing money directly

Victoria Kivilevich:

from affected individuals or companies or blackmailing them.

Victoria Kivilevich:

So I would say that, for the first type of actors, it doesn't

Victoria Kivilevich:

really matter, usually, what is the company because all they

Victoria Kivilevich:

want is just to gain something and then to sell it to other

Victoria Kivilevich:

more skilled cyber criminals. But when we are talking about

Victoria Kivilevich:

cyber criminals who conduct the attacks till the end, and they

Victoria Kivilevich:

receive money from the victim, for them, it's really important

Victoria Kivilevich:

to know the revenue of the company, the sector of the

Victoria Kivilevich:

company, and how it can be abused.

Dr. Dave Chatterjee:

That's very useful. In fact, if for

Dr. Dave Chatterjee:

clarifications sake, you mentioned about a type of threat

Dr. Dave Chatterjee:

actor. I think the term might be Initial Access Brokers, but

Dr. Dave Chatterjee:

please correct me. These are the folks who are able to compromise

Dr. Dave Chatterjee:

networks and sell credentials to other threat actors, such as

Dr. Dave Chatterjee:

ransomware operators. Am I correct in using that term

Dr. Dave Chatterjee:

Initial Access Brokers?

Victoria Kivilevich:

Yes, that's totally correct.

Dr. Dave Chatterjee:

Okay. So again, from a organization

Dr. Dave Chatterjee:

standpoint, that is trying to protect themselves from getting

Dr. Dave Chatterjee:

hurt, from getting attacked, how is the relationship between the

Dr. Dave Chatterjee:

Initial Access Brokers and say the ransomware attackers, how is

Dr. Dave Chatterjee:

that significant?

Victoria Kivilevich:

So it's very significant because Initial

Victoria Kivilevich:

Access Brokers play a crucial role in the ransomware economy,

Victoria Kivilevich:

and especially in the ransomware-as-a-service economy,

Victoria Kivilevich:

which is a model that enables cyber criminals, also known as

Victoria Kivilevich:

affiliates, to use ransomware to execute attacks and get share of

Victoria Kivilevich:

ransom if the company pays the ransom in the end. So as you've

Victoria Kivilevich:

mentioned, Initial Access Brokers sell remote access to a

Victoria Kivilevich:

computer in a compromised organization, which is called

Victoria Kivilevich:

initial network access. How does it work? First, the broker needs

Victoria Kivilevich:

to find an initial infection vector, for example, compromise

Victoria Kivilevich:

RDP (Remote Desktop Protocol), or VPN (Virtual Private Network)

Victoria Kivilevich:

credentials, then he needs to research an organization, if

Victoria Kivilevich:

it's worth the effort, if it's even a company, if it's big

Victoria Kivilevich:

enough, if it's interesting? And then he needs to transform it

Victoria Kivilevich:

into a wider compromise. For example, achieve higher

Victoria Kivilevich:

privileges and then all he needs is to supply access to a buyer,

Victoria Kivilevich:

for example, in the form of RDP credentials. So, if this buyer

Victoria Kivilevich:

is related to a ransomware operation, he can use it to

Victoria Kivilevich:

enter the network, move laterally, and deploy ransomware

Victoria Kivilevich:

in all the environment. And initial access phase is already

Victoria Kivilevich:

taken care of by Initial Access Broker and it really

Victoria Kivilevich:

significantly eases the process and scales the attacks. So of

Victoria Kivilevich:

course, ransom operators have other ways of getting access,

Victoria Kivilevich:

they rely on phishing campaigns, botnets and more. And likewise,

Victoria Kivilevich:

Initial Access Brokers can sell network access to any actor, not

Victoria Kivilevich:

only to ransomware actors, they can sell it to financially

Victoria Kivilevich:

motivated APTs, which are Advanced Persistent Threat

Victoria Kivilevich:

actors usually state-backed, they can sell it to data brokers

Victoria Kivilevich:

and any threat actor that has a way to monetize the said access.

Victoria Kivilevich:

But as we've seen, Initial Access Brokers and ransomware

Victoria Kivilevich:

actors have an established corporation. And that is why

Victoria Kivilevich:

essential Initial Access Brokers are an essential part of supply

Victoria Kivilevich:

chain for many ransomware operations. That's why it's

Victoria Kivilevich:

important to track their offers.

Dr. Dave Chatterjee:

Wow, that is so interesting and

Dr. Dave Chatterjee:

enlightening. You touched upon the profile of of top targets.

Dr. Dave Chatterjee:

If we get more specific and think in terms of ransomware

Dr. Dave Chatterjee:

attacks. What is the profile of an ideal ransomware target? Is

Dr. Dave Chatterjee:

it different from top targets of initial access brokers?

Victoria Kivilevich:

Yeah, that's great question because

Victoria Kivilevich:

really, it is a little different. So for Initial Access

Victoria Kivilevich:

Brokers usually list some properties of a compromised

Victoria Kivilevich:

company, which help other threat actors to understand if this

Victoria Kivilevich:

victim is valuable. These properties can include revenue,

Victoria Kivilevich:

size (which is number for employees), industry and

Victoria Kivilevich:

description of the company. And usually, the bigger the revenue,

Victoria Kivilevich:

the more the access costs. But for Initial Access Brokers, it's

Victoria Kivilevich:

important only to sell the access. So they do not need to

Victoria Kivilevich:

pay a lot of attention to countries and sectors.

Victoria Kivilevich:

Essentially, every company that is vulnerable is good for them

Victoria Kivilevich:

because they will find a buyer most likely, even if it's not a

Victoria Kivilevich:

ransomware attack and then sell it to another criminal. We see

Victoria Kivilevich:

that initial access brokers offer a lot of access to

Victoria Kivilevich:

universities, but they tend to cost less. And we also seen

Victoria Kivilevich:

ransomware actors discuss that the universities, especially not

Victoria Kivilevich:

the major ones do not tend to pay ransom. So that's one

Victoria Kivilevich:

difference. The same about healthcare institutions. When

Victoria Kivilevich:

the pandemic started with some ransomware, the actors said they

Victoria Kivilevich:

will not attack medical institutions, but it didn't stop

Victoria Kivilevich:

initial access brokers from offering them for sale. So,

Victoria Kivilevich:

ransomware actors are more focused, and based on the

Victoria Kivilevich:

conditions that they state on various cybercrime forums, we

Victoria Kivilevich:

found that an ideal victim ransomware victim is: based in

Victoria Kivilevich:

the US, has more than $60 million in revenue, and most

Victoria Kivilevich:

likely it's not from education, government and nonprofit sector

Victoria Kivilevich:

because it's just not valuable for them. These victims won't

Victoria Kivilevich:

pay money, most likely. And we also seen a confirmation of that

Victoria Kivilevich:

by a representative of the Lockbit ransomware operation. He

Victoria Kivilevich:

said that the insurance in the ransomware sphere is more

Victoria Kivilevich:

developed in the US and in Europe, and the largest number

Victoria Kivilevich:

of the world's wealthiest companies is concentrated there.

Victoria Kivilevich:

So he explained why they are targeting mostly these

Victoria Kivilevich:

countries. Interestingly, the actors define not only the

Victoria Kivilevich:

desired revenue and country, but also type of access, and it can

Victoria Kivilevich:

be very beneficial for enterprise defenders. So first

Victoria Kivilevich:

of all, you can understand if your company is a potential

Victoria Kivilevich:

target, but I know it sounds too wide, because essentially, any

Victoria Kivilevich:

medium sized or big profitable company is a target. So what is

Victoria Kivilevich:

more interesting is the type of access which sheds light at some

Victoria Kivilevich:

TTPs (Tactics, Techniques, and Procedures) of ransomware

Victoria Kivilevich:

attackers as desired type of access, they state is RDP and

Victoria Kivilevich:

VPN, and it should trigger enterprise defenders to pay more

Victoria Kivilevich:

attention to these solutions and securing them. For example,

Victoria Kivilevich:

enabling two factor authentication for VPN

Victoria Kivilevich:

connections. Also, the actors name, specific products they are

Victoria Kivilevich:

targeting to ease their attack. Some names that we've seen --

Victoria Kivilevich:

Citrix, Fortinet, Cisco, Pulse Secure VPNs and other solutions.

Victoria Kivilevich:

When seeing this requirements, any defender can identify the

Victoria Kivilevich:

threat more correctly, and pay attention if these products are

Victoria Kivilevich:

used in the environment, and if they should pay more attention

Victoria Kivilevich:

to patching them and securing them. And what is the most

Victoria Kivilevich:

interesting that when studying Initial Access Brokers and

Victoria Kivilevich:

ransomware attackers, we can understand specific

Victoria Kivilevich:

vulnerabilities used by actors. For example, we've seen one

Victoria Kivilevich:

actor sharing his entire process of getting into the network. And

Victoria Kivilevich:

he mentioned the use of an automated script -- a program

Victoria Kivilevich:

which weaponizes one of the vulnerabilities in Pulse Connect

Victoria Kivilevich:

Secure VPNs. And if not patched, this flaw can be used by

Victoria Kivilevich:

different actors to attack the network and cause different

Victoria Kivilevich:

separate attacks. And it can be not only one actor, if someone

Victoria Kivilevich:

attacked you using one flaw, now the actor can also find this and

Victoria Kivilevich:

use it for a separate attack. So you can become a double victim.

Dr. Dave Chatterjee:

Very interesting. Now, as you talk

Dr. Dave Chatterjee:

about ransomware attackers and victims, my thought goes to

Dr. Dave Chatterjee:

organizations that are often double victims. And my research

Dr. Dave Chatterjee:

finds that these are the organizations who have paid

Dr. Dave Chatterjee:

once. And so there's the intelligence out there that

Dr. Dave Chatterjee:

they'll probably pay again, that's one way of thinking about

Dr. Dave Chatterjee:

double victims. Another way of thinking about double victims is

Dr. Dave Chatterjee:

the attackers, the ransomware attackers these days, they not

Dr. Dave Chatterjee:

only steal your data and encrypt your network your systems, but

Dr. Dave Chatterjee:

they're also selling the data. So even if you regain access to

Dr. Dave Chatterjee:

your network, that is not a guarantee that your data is not

Dr. Dave Chatterjee:

already out there in one of the Dark Web resources being sold to

Dr. Dave Chatterjee:

some other threat actor. So what advice do you have for

Dr. Dave Chatterjee:

organizations from the standpoint of avoiding becoming

Dr. Dave Chatterjee:

double victims?

Victoria Kivilevich:

So I would say that the most important

Victoria Kivilevich:

point is to properly investigate the incidents because a company

Victoria Kivilevich:

can become a double victim if different actors use one entry

Victoria Kivilevich:

vector that wasn't secured after the first attack. So proper

Victoria Kivilevich:

investigation and acting using the results of the investigation

Victoria Kivilevich:

is essential. And of course, the company should have some

Victoria Kivilevich:

established practice. For example, cybersecurity awareness

Victoria Kivilevich:

and training for all key stakeholders and employees. All

Victoria Kivilevich:

key individuals should know how to safely use their credentials

Victoria Kivilevich:

and personal information online. Also, there should be of course,

Victoria Kivilevich:

an established process of vulnerability monitoring and

Victoria Kivilevich:

patching because you should continually protect all the

Victoria Kivilevich:

network infrastructure and prevent any unauthorized access

Victoria Kivilevich:

either by Initial Access Brokers or other cyber criminals. And of

Victoria Kivilevich:

course, the automated and targeted monitoring of key

Victoria Kivilevich:

assets in cybercrime ecosystem can help to immediately detect

Victoria Kivilevich:

threats emerging from the cybercrime system. I just want

Victoria Kivilevich:

maybe to show an example of two attacks that started in Dark Web

Victoria Kivilevich:

and then evolved into full scale attack. For example, in June

Victoria Kivilevich:

2021, the hack of Electronic Arts, a video game company, it

Victoria Kivilevich:

began with hackers who purchased stolen cookies sold online for

Victoria Kivilevich:

just $10 on Genesis market, which is a market of information

Victoria Kivilevich:

stolen via information stealing malware. So, cookie is something

Victoria Kivilevich:

that can save the login details of particular users, and

Victoria Kivilevich:

potentially allowed hackers to log into services as that

Victoria Kivilevich:

person. And this is what these specific hackers did. They use

Victoria Kivilevich:

these credentials to gain access to a Slack channel used in

Victoria Kivilevich:

Electronic Arts. Once in the Slack channel, they tricked one

Victoria Kivilevich:

of their employees to provide a multi factor authentication

Victoria Kivilevich:

token, they just messaged their IT support members. And they

Victoria Kivilevich:

said that they lost their phone and the party. And that's why

Victoria Kivilevich:

they need another certification token. And once they received

Victoria Kivilevich:

this token they logged into into a corporate network. And then

Victoria Kivilevich:

they found the service for developers that they use to

Victoria Kivilevich:

compile games. And then they just stole game source code,

Victoria Kivilevich:

which is, of course very valuable for the video gaming

Victoria Kivilevich:

company. And they said they had almost 800 gigabytes of data.

Victoria Kivilevich:

And they were advertising it for sale on various underground

Victoria Kivilevich:

forums. So if this cookie had not been bought from this

Victoria Kivilevich:

underground market, maybe the attack would not have happened.

Victoria Kivilevich:

And of course, as we were talking about Initial Access

Victoria Kivilevich:

Brokers and ransomware attacks, we have also seen a lot of

Victoria Kivilevich:

examples of an attack that started from network access, and

Victoria Kivilevich:

continued into full scale ransom attack. From what we've seen,

Victoria Kivilevich:

one of the examples is very interesting, because it was

Victoria Kivilevich:

confirmed by the company's investigation. We saw the

Victoria Kivilevich:

Initial Access Broker offering data offering initial network

Victoria Kivilevich:

access to the company, we were identified as Gyrodata. It's a

Victoria Kivilevich:

US based energy company. He offered the access on January

Victoria Kivilevich:

16. Two days later, the actor declared the access was sold.

Victoria Kivilevich:

And one month later on February 20, the operators of Darkside

Victoria Kivilevich:

ransomware published a blog post claiming to have compromised the

Victoria Kivilevich:

same company. So logically, we assumed it's one attack. And

Victoria Kivilevich:

then we saw the Gyrodata data investigation. And it confirmed

Victoria Kivilevich:

our findings because they said that the unauthorized actor

Victoria Kivilevich:

gained access to certain systems and related data within the

Victoria Kivilevich:

company's environment from approximately January 16 to

Victoria Kivilevich:

February 22. So this is the same timeline. And we have seen a lot

Victoria Kivilevich:

of examples. And we have identified at least five

Victoria Kivilevich:

ransomware operations, most of them managed by Russian speaking

Victoria Kivilevich:

actors who are buying accesses from initial access brokers and

Victoria Kivilevich:

using this access in their attacks. For example, LockBit,

Victoria Kivilevich:

Avaddon Darkside, Conti, BlackByte. So you can ask me,

Victoria Kivilevich:

Why is it even valuable? Why should we follow this this

Victoria Kivilevich:

information? Because, as we've seen, from the moment the access

Victoria Kivilevich:

is listed on sale, it takes on average one month to attack the

Victoria Kivilevich:

company to try to have negotiations and then to publish

Victoria Kivilevich:

its name on the ransomware blog, if the negotiations fail. So it

Victoria Kivilevich:

means that a network access victim has a few days, sometimes

Victoria Kivilevich:

even weeks to understand that it's compromised and to secure

Victoria Kivilevich:

the access to find this unauthorized access, and to

Victoria Kivilevich:

prevent a future attack.

Dr. Dave Chatterjee:

Very interesting. Thank you for

Dr. Dave Chatterjee:

providing us with these great examples. Now, let me present

Dr. Dave Chatterjee:

you with a scenario. An attacker approaches an organization and

Dr. Dave Chatterjee:

they say that they have the organization's data. And

Dr. Dave Chatterjee:

obviously they're asking for money. What kinds of checks

Dr. Dave Chatterjee:

should the organization engage in to verify if the threat is a

Dr. Dave Chatterjee:

real one?

Victoria Kivilevich:

It's an excellent question, because we

Victoria Kivilevich:

do see a lot of actors that try to pretend they're skilled

Victoria Kivilevich:

actors. But in reality, they are just some beginners that trying

Victoria Kivilevich:

to gain easy profits. So, it is really important to first

Victoria Kivilevich:

understand context. And second, ask for proof, for example,

Victoria Kivilevich:

someone approaches you and says your vendor was attacked, and

Victoria Kivilevich:

your data was stolen. So there is a lot of actors that just

Victoria Kivilevich:

prey on data breaches that already that already happened,

Victoria Kivilevich:

and they can use them to intimidate you and ask for

Victoria Kivilevich:

ransom without having any data. So in this case, it is important

Victoria Kivilevich:

to understand if such email is even in TTPs of a specific

Victoria Kivilevich:

group, do they really inform clients of an attacked company

Victoria Kivilevich:

about the breach? We had such case with a-Clop ransomware and

Victoria Kivilevich:

we confirmed that this is a genuine email that they really

Victoria Kivilevich:

send emails to all the vendors, partners and clients to

Victoria Kivilevich:

intimidate the company, but easily it could be another

Victoria Kivilevich:

ransomware gang that doesn't have it in its TTPs. And then

Victoria Kivilevich:

you need to go further. What do I mean by going further is to

Victoria Kivilevich:

understand what proof do you have because I have an excellent

Victoria Kivilevich:

example with Conti that you mentioned -- the ransom

Victoria Kivilevich:

operation which made a lot of headlines. We have visibility in

Victoria Kivilevich:

their TTPs, thanks to recent leak of their internal

Victoria Kivilevich:

information. So as a response to the Conti's runs support of the

Victoria Kivilevich:

Russian invasion of Ukraine, a suspected Ukrainian researcher

Victoria Kivilevich:

just leaked internal conversations of its members.

Victoria Kivilevich:

And it gave us a lot of valuable informations. For example, we

Victoria Kivilevich:

found that Conti, respected known operation frequently lies

Victoria Kivilevich:

to victims about the stolen data, they insist they have more

Victoria Kivilevich:

than what's actually stolen. I've seen an example that they

Victoria Kivilevich:

discussed some company from Canada, and one of the Conti

Victoria Kivilevich:

workers complained to a high profile member of Conti, that he

Victoria Kivilevich:

could not find files requested by the victim. And he claimed

Victoria Kivilevich:

that the team that was attacking the network didn't download all

Victoria Kivilevich:

the files from the file tree. So they demonstrated this file tree

Victoria Kivilevich:

to the victim. And it was a huge file tree. And the victim, of

Victoria Kivilevich:

course, was persuaded that they have a lot of data. But it

Victoria Kivilevich:

wasn't true. It was another example, we've seen, the same

Victoria Kivilevich:

actor said that only eight gigabytes of data were stolen

Victoria Kivilevich:

from the network. Of course, in negotiations, they said it was a

Victoria Kivilevich:

lot more. And in the end, this victim paid ransom, and it was

Victoria Kivilevich:

over $1 million. So over $1 million for 8 gigabytes of

Victoria Kivilevich:

files, and they didn't know it. And, as you've said, the

Victoria Kivilevich:

ransomware actors usually say that, of course, after receiving

Victoria Kivilevich:

the money, we will delete all information that we have. So

Victoria Kivilevich:

what they did, they didn't send any any proof after being paid.

Victoria Kivilevich:

They just said that we deleted all the data, all the logs. And

Victoria Kivilevich:

that's it. So the proof is very important. Second step after

Victoria Kivilevich:

trying to understand what's the context, what is the background

Victoria Kivilevich:

of the attacker, if you have an opportunity to interact with the

Victoria Kivilevich:

attacker, you need to ask for proofs. First of all, these

Victoria Kivilevich:

proofs can help you to understand what data was taken.

Victoria Kivilevich:

And if it even was taken. And second, maybe it will give you

Victoria Kivilevich:

some insights about what tools were used to compromise your

Victoria Kivilevich:

network, maybe what specific software was compromised,

Victoria Kivilevich:

because when the actor sends proof, they can accidentally

Victoria Kivilevich:

leave some information that will lead you to securing your

Victoria Kivilevich:

environment and find the unauthorized access that the

Victoria Kivilevich:

attackers have.

Dr. Dave Chatterjee:

Very insightful. Thank you. Again,

Dr. Dave Chatterjee:

this is very, very useful information that I know many

Dr. Dave Chatterjee:

organizations can benefit from. So you talked about the Conti

Dr. Dave Chatterjee:

Group, I'm sure there are many players out there. And you are

Dr. Dave Chatterjee:

the expert in this area. Is it important that organizations

Dr. Dave Chatterjee:

make a concerted focused effort to learn about each of these

Dr. Dave Chatterjee:

groups? Because I see this as a never ending proposition because

Dr. Dave Chatterjee:

these groups are are evolving, they're appearing maybe some

Dr. Dave Chatterjee:

disappear, it almost seems that an organization needs to have a

Dr. Dave Chatterjee:

team that solely focuses on monitoring this ecosystem

Dr. Dave Chatterjee:

monitoring these new players, existing players, that's a lot

Dr. Dave Chatterjee:

of activity. What are your thoughts? What is your advice,

Dr. Dave Chatterjee:

how best to try and get your hands around all that's going

Dr. Dave Chatterjee:

on, in as you call it, the cybercrime ecosystem?

Victoria Kivilevich:

So of course, each company should have

Victoria Kivilevich:

a team that is focused on securing the company's assets.

Victoria Kivilevich:

Of course, studying the ecosystem is another step, which

Victoria Kivilevich:

provides a lot of valuable information. But I understand

Victoria Kivilevich:

that some companies doesn't have resources for that. So there is

Victoria Kivilevich:

a lot of companies that publish open source, open research that

Victoria Kivilevich:

you can access. And this is something that you need to

Victoria Kivilevich:

follow, because, as you've said, the groups are appearing and

Victoria Kivilevich:

disappearing. And maybe the name is not important, so much for

Victoria Kivilevich:

enterprise defenders, but TTPs, and what tools they're using,

Victoria Kivilevich:

that is really important. And as I mentioned, with the Conti

Victoria Kivilevich:

leak, sometimes it happens that accidentally or thanks to

Victoria Kivilevich:

efforts of researchers, we get our hands on information that

Victoria Kivilevich:

can be very valuable. And that is, if we're speaking, for

Victoria Kivilevich:

example, about ransomware-as-a-service, that is

Victoria Kivilevich:

a flaw in their operation because they have a lot of

Victoria Kivilevich:

people in the team. Of course, it raises so called insider

Victoria Kivilevich:

threat, something happens, an affiliate is not happy with the

Victoria Kivilevich:

conditions that he got. And he can just reveal all the manuals

Victoria Kivilevich:

of the ransomware operation on one of the forums. And that is

Victoria Kivilevich:

why following on this news is very important, because you can

Victoria Kivilevich:

just receive a tutorial how ransomware attacker could breach

Victoria Kivilevich:

into your network from the beginning what tools they can

Victoria Kivilevich:

use, even what infrastructure. Because we spoke a lot about

Victoria Kivilevich:

Conti, I cannot not to mention that they allegedly shut down

Victoria Kivilevich:

their operations. And they separated into smaller units. So

Victoria Kivilevich:

we can expect a lot of new gangs using these old methods. And of

Victoria Kivilevich:

course, they can also use new methods because even among

Victoria Kivilevich:

different teams in one ransomware groups, the TTPs may

Victoria Kivilevich:

differ. So it's crucial to track it since they can use both new

Victoria Kivilevich:

methods and all successful tricks which includes

Victoria Kivilevich:

infrastructure, which includes supply chain, the same Initial

Victoria Kivilevich:

Access Brokers that we've seen, being used by Conti in this

Victoria Kivilevich:

internal leaks. They said, they found them on forums, they were

Victoria Kivilevich:

actually exchanging messages like, "Hey, I've seen this guy

Victoria Kivilevich:

on the forum, I think we should work with him." So it means that

Victoria Kivilevich:

new groups can also leverage the same Initial Access Brokers. And

Victoria Kivilevich:

even if attackers tried to hide their identity and not to

Victoria Kivilevich:

contact the sellers directly, for example, we can still see

Victoria Kivilevich:

these suppliers in cybercrime sources. And we can still

Victoria Kivilevich:

evaluate how specific company looks in the eyes of attackers

Victoria Kivilevich:

and what he can use to attack. So unlucky for us, the

Victoria Kivilevich:

cybercrime ecosystem will unlikely disappear. But luckily

Victoria Kivilevich:

for us, we can have almost the same visibility into these

Victoria Kivilevich:

threats as potential attackers.

Dr. Dave Chatterjee:

That is so true. And as you were, you were

Dr. Dave Chatterjee:

discussing so many different topics in the context of how to

Dr. Dave Chatterjee:

leverage the intelligence from these dark groups, if I may, if

Dr. Dave Chatterjee:

I had to summarize some of my takeaways from this discussion.

Dr. Dave Chatterjee:

First and foremost, organizations can't afford to

Dr. Dave Chatterjee:

ignore these very valuable resources. As we have discussed

Dr. Dave Chatterjee:

previously, during our planning meetings, it may not be easy for

Dr. Dave Chatterjee:

organizations to gain access to these resources. So they may

Dr. Dave Chatterjee:

have to deploy intermediaries who can gain access on their

Dr. Dave Chatterjee:

behalf, and keep them posted on a regular basis on all kinds of

Dr. Dave Chatterjee:

intelligence, whether that organization is a target or not,

Dr. Dave Chatterjee:

what are the types of attacks that they should be prepared

Dr. Dave Chatterjee:

for. So it's a constant exercise that a company needs to engage

Dr. Dave Chatterjee:

in, they need to have the right teams in place, who are

Dr. Dave Chatterjee:

monitoring the intelligence who are sharing reporting the

Dr. Dave Chatterjee:

intelligence, and they're also people in place who are

Dr. Dave Chatterjee:

reviewing it, and responding to the intelligence as soon as

Dr. Dave Chatterjee:

possible. Because, you can gather all the intelligence in

Dr. Dave Chatterjee:

the world, but if you don't act on it, then what's the point,

Dr. Dave Chatterjee:

which is unfortunately, the case, in many, many

Dr. Dave Chatterjee:

organizations, it happens quite a lot. So this is a lot of great

Dr. Dave Chatterjee:

information, Victoria. Really enjoyed this conversation. But

Dr. Dave Chatterjee:

I'd like to give you the final opportunity to conclude with

Dr. Dave Chatterjee:

some some final thoughts, some final takeaways for the

Dr. Dave Chatterjee:

audience. Yeah, so

Victoria Kivilevich:

All that you said, is totally great

Victoria Kivilevich:

summarizing what I've been telling about. I would like just

Victoria Kivilevich:

to add that, as you mentioned, it is really important to

Victoria Kivilevich:

document all of the investigations and threat

Victoria Kivilevich:

intelligence. And I would also say it's really important to

Victoria Kivilevich:

filter the noise because there is a lot of threats that seem to

Victoria Kivilevich:

be threats. But in the end, you understand that it's not that

Victoria Kivilevich:

it's not something that is dangerous for your organization.

Victoria Kivilevich:

And if you document it, maybe the next time you don't need to

Victoria Kivilevich:

dedicate all this time and effort on the second time to try

Victoria Kivilevich:

to understand if it's something dangerous. And summarizing why

Victoria Kivilevich:

why the cybercrime ecosystem is so important. It's because

Victoria Kivilevich:

nowadays the typical cyber criminal does not work on his

Victoria Kivilevich:

own. Even the most basic criminal business requires

Victoria Kivilevich:

different tools, services, and all of them are available for

Victoria Kivilevich:

purchase on the cybercrime forums. Also, the cybercrime

Victoria Kivilevich:

ecosystem shifted towards something we call

Victoria Kivilevich:

everything-as-a-service model, meaning instead of just

Victoria Kivilevich:

purchasing tools, and then conducting attacks, any threat

Victoria Kivilevich:

actor can employ any number of services to receive needed

Victoria Kivilevich:

information. For example, if a threat actor wants to conduct

Victoria Kivilevich:

some form of identity fraud, meaning to impersonate a person

Victoria Kivilevich:

to receive profits, they can easily purchase personal

Victoria Kivilevich:

information, protected health information, and identification

Victoria Kivilevich:

documents instead of trying to receive it by themselves. So

Victoria Kivilevich:

such automation has two primary consequences. Firstly, it lowers

Victoria Kivilevich:

the level of sophistication and technical knowledge required by

Victoria Kivilevich:

typical cyber criminals, which of course, raises the number of

Victoria Kivilevich:

attacks. And secondly, it resulted in hundreds of

Victoria Kivilevich:

organized cyber criminal groups, which specialize and provide

Victoria Kivilevich:

services to other cyber criminals. So this is the whole

Victoria Kivilevich:

ecsystem that you can find anything in it, and most likely

Victoria Kivilevich:

you will find something connected to a company. And then

Victoria Kivilevich:

it is up to you. And this is your next step. To build a

Victoria Kivilevich:

proper process of reacting to this raw data and turning it

Victoria Kivilevich:

into threat intelligence into actionable threat intelligence

Victoria Kivilevich:

can be used to secure your organization.

Dr. Dave Chatterjee:

Thank you so much, Victoria. It has been

Dr. Dave Chatterjee:

such a pleasure.

Victoria Kivilevich:

Pleasure for me too. Thank you.

Dr. Dave Chatterjee:

A special thanks to Victoria Kivilevich

Dr. Dave Chatterjee:

for her time and insights. If you like what you heard, please

Dr. Dave Chatterjee:

leave the podcast a rating and share it with your network. Also

Dr. Dave Chatterjee:

subscribe to the show, so you don't miss any new episodes.

Dr. Dave Chatterjee:

Thank you for listening, and I'll see you in the next

Dr. Dave Chatterjee:

episode.

Introducer:

The information contained in this podcast is for

Introducer:

general guidance only. The discussants assume no

Introducer:

responsibility or liability for any errors or omissions in the

Introducer:

content of this podcast. The information contained in this

Introducer:

podcast is provided on an as is basis with no guarantee of

Introducer:

completeness, accuracy, usefulness, or timeliness. The

Introducer:

opinions and recommendations expressed in this podcast are

Introducer:

those of the discussants and not of any organization.

About the Podcast

Show artwork for The Cybersecurity Readiness Podcast Series
The Cybersecurity Readiness Podcast Series
with Dr. Dave Chatterjee

About your host

Profile picture for Dave Chatterjee

Dave Chatterjee

Dr. Debabroto 'Dave' Chatterjee is tenured professor in the Management Information Systems (MIS) department, at the Terry College of Business, The University of Georgia (UGA). He is also a Visiting Scholar at Duke University, affiliated with the Master of Engineering in Cybersecurity program in the Pratt School of Engineering. An accomplished scholar and technology thought leader, Dr. Chatterjee’s interest and expertise lie in the various facets of information technology management – from technology sense-making to implementation and change management, data governance, internal controls, information security, and performance measurement. His work has been accepted and published in prestigious outlets such as The Wall Street Journal, MIT Sloan Management Review, California Management Review, Business Horizons, MIS Quarterly, and Journal of Management Information Systems. Dr. Chatterjee’s research has been sponsored by industry and cited over two thousand times. His book Cybersecurity Readiness: A Holistic and High-Performance Approach was published by SAGE Publishing in March 2021.