Defending Executives in Their Private Cyber Space€¦ · • Advanced cyber threats recognize...
Transcript of Defending Executives in Their Private Cyber Space€¦ · • Advanced cyber threats recognize...
![Page 1: Defending Executives in Their Private Cyber Space€¦ · • Advanced cyber threats recognize personal accounts and home networks as soft targets that yield high value cyber espionage](https://reader033.fdocuments.in/reader033/viewer/2022042022/5e79f356a91f2b11d976f112/html5/thumbnails/1.jpg)
Defending Executives in Their Private Cyber SpaceChristopher GorePresidentD4C Global, LLC
![Page 2: Defending Executives in Their Private Cyber Space€¦ · • Advanced cyber threats recognize personal accounts and home networks as soft targets that yield high value cyber espionage](https://reader033.fdocuments.in/reader033/viewer/2022042022/5e79f356a91f2b11d976f112/html5/thumbnails/2.jpg)
![Page 3: Defending Executives in Their Private Cyber Space€¦ · • Advanced cyber threats recognize personal accounts and home networks as soft targets that yield high value cyber espionage](https://reader033.fdocuments.in/reader033/viewer/2022042022/5e79f356a91f2b11d976f112/html5/thumbnails/3.jpg)
Background
• Air Force Office of Special Investigations• Cyber-Counterintelligence• F-35 Joint Strike Fighter• Executive Protection • Private Investigator
F-35 Joint Strike Fighter (JSF)
J-31 Chinese Stealth Fighter
![Page 4: Defending Executives in Their Private Cyber Space€¦ · • Advanced cyber threats recognize personal accounts and home networks as soft targets that yield high value cyber espionage](https://reader033.fdocuments.in/reader033/viewer/2022042022/5e79f356a91f2b11d976f112/html5/thumbnails/4.jpg)
Advanced Persistent Threats
• How do they operate?• Creative and determined• Weakest link in the chain
• What do they want?• Center of Gravity• Intellectual property• “Understand the viewpoints and
motivations of influential officials”
![Page 5: Defending Executives in Their Private Cyber Space€¦ · • Advanced cyber threats recognize personal accounts and home networks as soft targets that yield high value cyber espionage](https://reader033.fdocuments.in/reader033/viewer/2022042022/5e79f356a91f2b11d976f112/html5/thumbnails/5.jpg)
Achilles Heel
• The personal email accounts and home networks of executive leaders and key persons are the “Achilles Heel” of U.S. cyber security programs
• Advanced cyber threats recognize personal accounts and home networks as soft targets that yield high value cyber espionage results.
![Page 6: Defending Executives in Their Private Cyber Space€¦ · • Advanced cyber threats recognize personal accounts and home networks as soft targets that yield high value cyber espionage](https://reader033.fdocuments.in/reader033/viewer/2022042022/5e79f356a91f2b11d976f112/html5/thumbnails/6.jpg)
Beyond Remit
![Page 7: Defending Executives in Their Private Cyber Space€¦ · • Advanced cyber threats recognize personal accounts and home networks as soft targets that yield high value cyber espionage](https://reader033.fdocuments.in/reader033/viewer/2022042022/5e79f356a91f2b11d976f112/html5/thumbnails/7.jpg)
Serious Concerns
• In September 2018, Senator Wyden, wrote a letter to Congressional leadership addressing “serious concerns” about foreign cyber targeting of private email accounts of US Senators and Senate staff
• This is true in many corporate policies
![Page 8: Defending Executives in Their Private Cyber Space€¦ · • Advanced cyber threats recognize personal accounts and home networks as soft targets that yield high value cyber espionage](https://reader033.fdocuments.in/reader033/viewer/2022042022/5e79f356a91f2b11d976f112/html5/thumbnails/8.jpg)
![Page 9: Defending Executives in Their Private Cyber Space€¦ · • Advanced cyber threats recognize personal accounts and home networks as soft targets that yield high value cyber espionage](https://reader033.fdocuments.in/reader033/viewer/2022042022/5e79f356a91f2b11d976f112/html5/thumbnails/9.jpg)
Counterintelligence + Security
• Even the most stringent security measures remain vulnerable to persistent threats looking to exploit their target.
• The signature purpose of CI is to confront and engage the threats; to disrupt their activities and neutralize their efforts.
![Page 10: Defending Executives in Their Private Cyber Space€¦ · • Advanced cyber threats recognize personal accounts and home networks as soft targets that yield high value cyber espionage](https://reader033.fdocuments.in/reader033/viewer/2022042022/5e79f356a91f2b11d976f112/html5/thumbnails/10.jpg)
Detecting the Threat
• Discreet monitoring of executive’s personal communication accounts and devices
• Balancing privacy needs with threat intelligence collection needs• Detect incoming and outgoing indicators
![Page 11: Defending Executives in Their Private Cyber Space€¦ · • Advanced cyber threats recognize personal accounts and home networks as soft targets that yield high value cyber espionage](https://reader033.fdocuments.in/reader033/viewer/2022042022/5e79f356a91f2b11d976f112/html5/thumbnails/11.jpg)
Hardening the Home Office Network
• At a minimum • Robust firewall and antivirus/anti-malware• All devices fully updated on software/firmware settings, security patches, etc. • Utilize application whitelisting• Reduce the attack surface by disabling Java, JavaScript and ActiveX, or by adding script-
blocking plugins• Eliminate Wi-Fi as much as possible by using an ethernet cable instead • Consider establishing two internet lines -- one for the family and one exclusively for the
executive• Use an outbound firewall to block any malware or malicious programs from being able to
connect to the internet
![Page 12: Defending Executives in Their Private Cyber Space€¦ · • Advanced cyber threats recognize personal accounts and home networks as soft targets that yield high value cyber espionage](https://reader033.fdocuments.in/reader033/viewer/2022042022/5e79f356a91f2b11d976f112/html5/thumbnails/12.jpg)
Case Study
• Private U.S. firm received notification from a U.S. Government contact that the contents of their emails were being leaked
• Firm contracted CI team to investigate the email breach and harden corporate networks
![Page 13: Defending Executives in Their Private Cyber Space€¦ · • Advanced cyber threats recognize personal accounts and home networks as soft targets that yield high value cyber espionage](https://reader033.fdocuments.in/reader033/viewer/2022042022/5e79f356a91f2b11d976f112/html5/thumbnails/13.jpg)
Case Study
• Hardening of corporate network prevented continued unauthorized access to email accounts
• Adversaries actively sought renewed access through a variety of cyber-enabled methods
• Attacks targeted both corporate and personal accounts for those closest to the principal
![Page 14: Defending Executives in Their Private Cyber Space€¦ · • Advanced cyber threats recognize personal accounts and home networks as soft targets that yield high value cyber espionage](https://reader033.fdocuments.in/reader033/viewer/2022042022/5e79f356a91f2b11d976f112/html5/thumbnails/14.jpg)
Case Study
• After multiple attempts to regain access remotely, a senior staffer with a privileged account had their personal phone stolen while at dinner
• Cash, credit card, and keys were not disturbed
![Page 15: Defending Executives in Their Private Cyber Space€¦ · • Advanced cyber threats recognize personal accounts and home networks as soft targets that yield high value cyber espionage](https://reader033.fdocuments.in/reader033/viewer/2022042022/5e79f356a91f2b11d976f112/html5/thumbnails/15.jpg)
Case Study
• The following day, staffer received multiple recovery messages from “Apple Support”
![Page 16: Defending Executives in Their Private Cyber Space€¦ · • Advanced cyber threats recognize personal accounts and home networks as soft targets that yield high value cyber espionage](https://reader033.fdocuments.in/reader033/viewer/2022042022/5e79f356a91f2b11d976f112/html5/thumbnails/16.jpg)
Case Study
• Investigation revealed that the message was a phishing campaign originating in Russia
![Page 17: Defending Executives in Their Private Cyber Space€¦ · • Advanced cyber threats recognize personal accounts and home networks as soft targets that yield high value cyber espionage](https://reader033.fdocuments.in/reader033/viewer/2022042022/5e79f356a91f2b11d976f112/html5/thumbnails/17.jpg)
The Need for Consistent Training
• Humans are the weakest link• Principles and families need
constant trainings, updates, and risk awareness
![Page 18: Defending Executives in Their Private Cyber Space€¦ · • Advanced cyber threats recognize personal accounts and home networks as soft targets that yield high value cyber espionage](https://reader033.fdocuments.in/reader033/viewer/2022042022/5e79f356a91f2b11d976f112/html5/thumbnails/18.jpg)
Hardening the Executive
• At a minimum • Know Yourself and Your Infrastructure -- Company
Equipment and Tools, Accepted Policies and Standards, Sensitive Information
• Who Do You Trust? -- Vendors, Procurement, Automation, Layered Approach
• The Cost of Convenience• Access Management• Physical Space• Online Privacy• Secure Data and Communications
![Page 19: Defending Executives in Their Private Cyber Space€¦ · • Advanced cyber threats recognize personal accounts and home networks as soft targets that yield high value cyber espionage](https://reader033.fdocuments.in/reader033/viewer/2022042022/5e79f356a91f2b11d976f112/html5/thumbnails/19.jpg)
Case Study
• Former U.S. ambassador remained target of cyber campaign after term ended
• Ambassador faced persistent targeting and cyber-harassment
![Page 20: Defending Executives in Their Private Cyber Space€¦ · • Advanced cyber threats recognize personal accounts and home networks as soft targets that yield high value cyber espionage](https://reader033.fdocuments.in/reader033/viewer/2022042022/5e79f356a91f2b11d976f112/html5/thumbnails/20.jpg)
Counterintelligence Neutralization - Background
Former U.S. Diplomat and Business Executive Targeted by Advance Threat Actors
• Targeting both at work and at home• Personal devices and home router compromised• Family devices also compromised• Gmail/business email account accessed; 2-factor enabled• CI investigation requested after 5 cyber security firms struggled to disrupt the threat
• All had same basic approach – forensics on computers, buy new devices, implement security controls, install security applications,change passwords, etc.
CI Approach – Outside the SOC
• Our team focused on investigation and disruption of the threat actor infrastructure• Deployment of a covert sensor at the residence – we can see them, they cannot see us• Seek to disrupt all elements of the threat actor campaign
• Attack infrastructure was vulnerable• But not how you might think!
![Page 21: Defending Executives in Their Private Cyber Space€¦ · • Advanced cyber threats recognize personal accounts and home networks as soft targets that yield high value cyber espionage](https://reader033.fdocuments.in/reader033/viewer/2022042022/5e79f356a91f2b11d976f112/html5/thumbnails/21.jpg)
Counterintelligence Investigative Results
Investigation into and analysis of malicious IP space identified several repeated patterns:
• Use of the same street names in different cities and states for IP ownership registration• Use of cheap, “purchase online” virtual office locations and phone numbers• Use of similar personnel names and emails addresses• Similar dates and times for IP block ownership registrations• Similarities in website code, design and errors on “business” sites• Unreasonable prices for “business” product and services• No evidence of customers and employees• Use of stolen images of people and equipment• Not returning phone calls and emails• Nominal DNS activity
Flip
Counterintelligence extends outside the SOC
![Page 22: Defending Executives in Their Private Cyber Space€¦ · • Advanced cyber threats recognize personal accounts and home networks as soft targets that yield high value cyber espionage](https://reader033.fdocuments.in/reader033/viewer/2022042022/5e79f356a91f2b11d976f112/html5/thumbnails/22.jpg)
Counterintelligence Investigative Results
…and resulted in discovery of over 700,000 IP addresses, owned by 10 business with estimated infrastructure annual cost of 8 million US dollars.
Fake customers, Stolen identities, Fake owners, and over $8 million invested in “Attack infrastructure”Counterintelligence question – Who would do this? And why?
![Page 23: Defending Executives in Their Private Cyber Space€¦ · • Advanced cyber threats recognize personal accounts and home networks as soft targets that yield high value cyber espionage](https://reader033.fdocuments.in/reader033/viewer/2022042022/5e79f356a91f2b11d976f112/html5/thumbnails/23.jpg)
Public/Private Coordination = Threat Neutralization
Counterintelligence gathers information:• Pivot an internal team to investigate threat infrastructure• Conducted physical investigation and collected information which supports ongoing
investigations
Counterintelligence conducts activities:• Coordination with LE – criminal case• Coordination with victims – civil case
Results:• Adversary’s targeting tool neutralized• Client’s security infrastructure is not over tasked• Client is more secure• U.S. public safety and security is increased
![Page 24: Defending Executives in Their Private Cyber Space€¦ · • Advanced cyber threats recognize personal accounts and home networks as soft targets that yield high value cyber espionage](https://reader033.fdocuments.in/reader033/viewer/2022042022/5e79f356a91f2b11d976f112/html5/thumbnails/24.jpg)
CI Perspective = Paradigm Shift