Threat Hunting (or TH in short) is quickly emerging as a ho trend in cybersecurity. The onslaught of data breaches we’ve been experiencing, each bigger than the last, proved to organization that they should assume compromise and seek ways to reduce the Dwell time. Dwell time is defined as the number of days that a threat stayed latent before discovery and eradication. In 2016 it was 98 days for financial services firms, and 197 days for retailers on average.
So organizations now “Hunt’ for threats instead of looking for alerts to notify them regarding potential breaches.
Roots
The term “threat hunting” was probably coined by security analyst Richard Bejtlich, who wrote in 2011: “To best counter targeted attacks, one must conduct counter-threat operations (CTOps). In other words, defenders must actively hunt intruders in their enterprise.” The SANS Institute defines threat hunting as follows: “Threat hunting is a focused and iterative approach to searching out, identifying and understanding adversaries that have entered the defender’s networks.”
Even the analyst firm Gartner covers this activity (although not defined as a market segment yet).
North Korea has garnered much attention, largely due to its nuclear ambitions, but also for its presumed substantial offensive cyber capabilities. The isolated country has been suspected of some of the more noteworthy hacks that, if true, have demonstrated an increasing use of cyber operations that have spanned from distributed denial-of-service (DDoS) attacks to more destructive “wiping” of data on targeted networks and systems. As of late, there has been indications that North Korea has been using its cyber prowess in support of more criminal activities such as the theft of money, and more recently, of cryptocurrencies. Such a divergent range of activities is of note as many of the other suspected nation state-driven cyber operations have concentrated on stealing data, disseminating influence campaigns, or launching destructive attacks.
North Korea Cyber power
This is not to say that suspected North Korean cyber activity is absent these purposes. Some of the more aggressive actions believed to be orchestrated by North Korea include but may not be limited to the following:
August 2017: Cyber espionage activity tied to the “Lazarus Group” targeted U.S. defense contractors with spearphishing e-mails. Lazarus Group operations are believed to be orchestrated by North Korean cyber actors.
June 2017: The U.S. Computer Emergency Response Team published a warning of potential North Korean cyber attacks against U.S. media, aerospace, and financial companies. Known as “Hidden Cobra,” the alert identified Internet Protocol (IP) addresses associated with a malware variant used to manage North Korea’s DDoS botnet infrastructure.
November 2014: In addition to having personal information and intellectual property stolen from its networks, Sony Pictures Entertainment suffered damages from wiper malware. The Federal Bureau of Investigation maintained high confidence that North Korea was responsible.
The recent Equifax breach, a global information solutions company that organizes, assimilate and analyzes data on consumers and businesses worldwide, and one of the three major credit reporting agencies, exposed the data of approximately 143 million people in the United States. Between May and July, the breach allowed attackers access to the names, Social Security numbers, birth dates, and even driver’s licenses, in addition to 209,000 credit card numbers and dispute details for another 182,000 individuals. According to the company, the attack vector exploited a U.S. website application vulnerability to gain access to certain files. In addition to being a major credit bureau, Equifax is a partner of the Internal Revenue Service (IRS), the centers for Medicaid and Medicare, and the Social Security Administration, all major targets of hostile cyber actors.
Your data is now out there, thank to Equifax breach
More alarming than the breach itself is the fact that details of the breach wasn’t made public until six weeks after it had occurred, and the company hasn’t said why it had waited so long before notifying the public. One possibility is that the company may have been investigating the causes and the extent of the breach, although this is just one speculation. To add insult to injury, it was revealed that three of Equifax’s executives sold company stock prior to the disclosure of the breach. While the company maintains that these individuals were not notified of the Equifax breach prior to the sale, once the breach was made public, Equifax stock value plunged 18 percent, with some estimates predicting further losses.
Unsurprisingly, the culmination of events has outraged an American public whose anger has reached the U.S. government, igniting a bipartisan political response to the breach. The U.S. Senate Finance Committee has pressured Equifax to disclose what happened and why. A 13-question letter covering topics such as details of breach discovery, the company’s victim notification plan, and steps to mitigate consumer impact. The company has until September 28 to answer the questions outlined in the Committee’s letter.
The Equifax breach comes at a time when some significant organizations have failed to safeguard sensitive personal information of citizens. Notable breaches have included the 2015 Anthem breach that surrendered 79 million people’s personal information;
the 2015 Office of Personnel Management (OPM)breach that compromised more than 4 million personnel records of individuals applying for security clearances; and the 2016 IRS breach that exposed the personal information of more than 700,000 individuals.
It is important to underscore that these millions of individuals did not carelessly protect or handle their own data. Rather, it was the inability of these “responsible” organizations that require the information for their business purposes to properly secure it, calling into question the extent of their responsibility, accountability, and consequence. Even after providing potential victims to see if their information might have been compromised, the last six numbers of an individual’s Social Security number – not the last four which is more standard – was required. Providing additional information into a website of an entity that demonstrated its inability to protect what it already had is certainly not reassuring.
Currently, 48 states have laws requiring private or governmental entities to notify individuals of security breaches of information involving personally identifiable information. However, the “time of notification” varies, and in several instances, is defined in vague terms such as “most expeditious.” This is completely unacceptable in today’s cyber reality where the criminal element can operate quickly and monetize stolen information immediately before victims are even aware that they have been compromised. In 2011, the Social Security Administration (SSA) failed to inform thousands of Americans it accidentally released their names, dates of birth and Social Security numbers in an electronic database widely used by U.S. business groups. The SSA essentially ignored established reporting guidelines of the U.S. Privacy Act, which protects personal information of private citizens. Such actions are not only negligent but border on criminal in their own right.
The U.S. public is tired of seeing massive breaches occur without any accountability or consequence levied against those organizations that were trusted and failed to protect the sensitive information of other people. Fines do not send a serious enough message, and CEO firings and/or forced resignations have not made any significant impact in implementing change in cyber security practices. U.S. Congress, long maligned and unpopular according to one tracking service, has the opportunity to demonstrate bipartisanship and pass strict disclosure mandates, along with an appropriate level of grave consequences.
While much attention has been focused on nation state cyber capabilities, the frequency and pace of major breaches like Equifax breach have become white noise that gets a moment’s notice before attention is focused on sexier cyber topics. This has got to change. While the crippling of a U.S. critical infrastructure as a result of a cyber attack can potentially have far reaching impacts, it remains a scenario. What is transpiring is the rampant mass exploitation and misuse of the U.S. public’s personal information, which effects everyone, regardless of political party, economic class, or religious ideology. That seems a call that both sides of the aisle should be able to get behind.
Self driving cars have effectively transitioned from an incredible-but-far-off-possibility to a changing market with world wide growth. Still, connected cars are vulnerable to attack.
Charlie Miller and Chris Valasek have been pushing the automotive industry to make security a top priority for years. In 2015, the researchers hacked in a Jeep, and in 2017, there is now a growing automotive cybersecurity market.
Growing at over 9% of CAGR, the automotive cybersecurity market has extended across the globe to include Europe, North America, Asia, and the Middle East and Africa. As the industry grows, so too will new legislation impact the trajectory of the markets, according to the 2017 Global Automotive Cyber Security Market Report.
Recently, there has been substantial reporting regarding potential ties between Kaspersky Lab and the Russian government. A series of public accusations from U.S. government officials certainly intimate that conclusion, which has been bolstered by some leaders of the U.S. intelligence community agencies. Furthermore, the U.S. government went as far as to remove Kaspersky Lab from two General Services Administration (GSA) lists of approved vendors used by U.S. government agencies for contracts that cover information technology services and digital photographic equipment. Leaked e-mails were alleged to solidify ties to Russian intelligence, although this was questionable at best. To add a digital nail in the coffin, the Federal Bureau of Investigation (FBI) wanted all businesses – and not just organizations tied or affiliated with the government – to stop using all Kaspersky products in general. Such overwhelming condemnation suggests that there must be some validity to the claim, but is that the case?
Kaspersky Virus Lab (source:www.kaspersky.ru)
Despite pronouncements of illicit ties, no evidence has been offered to the public to prove or at least justify the strength of these allegations. Much of what has been provided is very much circumstantial without the important “smoking gun” to solidify these concerns. Critics of Kaspersky are quick to note that the company’s founder is among multiple Kaspersky team member trained in cyber security at an academy run by Russian intelligence. Others will cite how Kaspersky Lab has been certified by the Russian Security Service (FSB), and was given a number matching that of an FSB program.
Kaspersky Lab Responds to FBI Claims
Kaspersky has and continues to vehemently deny any and all such claims and counters this viewpoint by offering transparency. In July 2017, in an effort to prove that no collusion exists between the company and the Russian government, Kaspersky offered to provide source code to the U.S. government for auditing, as well as to testify before Congress on the subject. In December 2016, one of the company’s top cyber security investigators was arrested by Russian authorities amid charges of treason. According to the company, the nature of the individual’s very public arrest predated his employment with the firm, raising doubt over the “closeness” of the company and the government.
Notably, the company has been a leader in tracking advanced persistent threats (APT) – the malicious cyber activity suspected of being conducted, orchestrated, or directed by foreign governments. Bolstering its independent claims, Kaspersky has uncovered activity affiliated to Russian hackers, as well as from other countries as well, and has been the target of another APT group, discovering the stealthy actors entrenched on its networks in 2015. The company boasts a longstanding cooperative relationship with international law enforcement. In 2014, Kaspersky Lab extended its scope of cooperation with Interpol, and signed a memorandum of understanding with Europol. While largely as circumstantial as the evidence against it, the culmination of these points certainly backs Kasperky’s argument that the company is independent of the government.
The objections with Kaspersky Lab is similar to those levied against Chinese information technology companies Huawei and ZTE and are founded in many of the same fears of state-direction, and unverified suspicions of espionage collusion. As with those companies, there is a dearth of evidence that shows with any measure of confidence that they are engaged in espionage activities on behalf of their home governments. In the aftermath of the concern of Russian meddling in U.S. and French elections, fear of all things Russian is understandable. However, instigating a “digital red scare” without providing the solid evidence seems more of a political move than a practical one. Indeed, Kaspersky has expressed the same sentiment saying that the company is being used as a pawn in a larger geopolitical game between the Russian and U.S. governments. Since establishing Kaspersky Lab 20 years ago, the company has enjoyed tremendous financial success and growth, serving more than 400 million users worldwide and is the largest software vendor in Europe. Undoubtedly, the accusations of a government like the United States could potentially tarnish the brand and impact future sales.
What should be the solution for the Kasperskyl Lab crisis?
Instead of finger-pointing, an easier solution may be just to not buy Kaspersky Lab products for government systems. In a consumer driven marketplace, every individual and organization can purchase whatever product they want, and if an organization does not trust another, then it simply makes sense not to acquire their products and services. But publicly calling into question a company’s integrity and business practices without the evidence to support those claims is nothing short of irresponsible and petty, and may encourage equal treatment to U.S. companies at a later date. This type of escalation is not needed or helpful. In the cyber domain, there is an understandable demand for public and private partnerships that serve to strengthen their respective security environments. And that starts with a shaking hands, not slapping them away.
The collision of the USS John McCain (naval destroyer) and an oil tanker near Singapore is the recent incident in a series of four naval mishaps in 2017 alone that have plagued the U.S. Navy. Ten U.S. sailors were initially lost at sea, some whose bodies have since been recovered.
USS_John_S._McCain_(DDG-56) after the collision
Are all incidents connected?
There has been much speculation as the cause of the latest accident, with some believing more than “human error” to be the root of the issue. The other three incidents included the USS Antietam (guided missile cruiser) running aground of the coast of Japan in January, the collision of the USS Champlain (cruiser) and a South Korean fishing vessel, and the crash between the USS Fitzgerald (destroyer) and a container ship in June. All of the vessels are part of the U.S. Pacific Fleet, and three of them are part of the U.S. 7th Fleet, the largest of the U.S. Navy’s forward-deployed fleets. Cruisers and destroyers carry theater ballistic missile interceptors, long-range Tomahawk land attack missiles, and anti-aircraft missiles.
Could Cyber be the cause?
While the cause remains unknown at this time, there is strong speculation that cyber malfeasance may have been the catalyst. One top U.S. Navy admiral tweeted that the Navy will conduct a thorough investigation, including a review into the possibility of “cyber intrusion or sabotage.” Indeed in the USS Fitzgerald incident, there is strong suspicion that hostile cyber attack may have prevented the radars and systems in place from identifying the other ship. As one news source pointed out, under standard protocol, the Fitzgerald’s captain should have been awakened and summoned to the bridge to assure a safe passage long before the ships could come near each other.
Maritime cyber security concerns have garnered attention as of late. In June 2016
Cyber threats to Global Shipping
Danish shipping giant Maersk was victimized by the global Petya cyberattack outages, which impacted container shipping, port and tug boat operations, oil and gas production, drilling services, and oil tankers. Damage estimates have ranged from USD $200-$300 million to the company. The Maritime Safety Committee of the International Maritime Organization adopted a resolution that established guidelines for cyber risk management for commercial shipping sector. In another incident, pirates broke into a shipping firms computer systems, allowing them to see which vessels were transporting the cargo they wanted to seize.
Are military vessels at risk too?
While this issue has mostly focused on civilian vessels, the events plaguing the U.S. Navy demonstrate how military naval assets can potentially be targeted by malfeasant actors, particularly those supporting a nation state’s interests. Stealthy espionage operations have been traditionally leveraged by these actors seeking to steal information, maintain access, and generally monitor target systems. However, the 2010 Stuxnet and a series of wiper malware incidents have revealed how suspected state actors can become more destructive in cyberspace if their intent changes from spying to punishing.
There is some evidence that some nation-states have been experimenting with the targeting of naval vessels via the digital domain. According to a June 2017 report from a security company, 20 ships near the Russian Black Sea coast indicated that their Global Positioning System (GPS) location to be inland at Gelendzhyk Airport. Such GPS anomalies can certainly be interpreted as Russia testing security measures and its capabilities by spoofing GPS that could be leveraged against opposing targets in the event of a military conflict (It should be noted that the U.S. military uses encrypted signals for geolocation of vessels, rather than commercial GPS).
Conclusion
Regardless if these series of incidents were coincidences or the result of purposeful targeting, it potentially demonstrates how valuable military assets can be targeted in the cyber domain. Effective cyber attacks do not necessarily have to be ones that seek to destroy or even disrupt the function of information systems. Disinformation and deception are useful tools that when operationalized properly can create specific effects. If surreptitious access can be obtained, manipulating data rather than erasing it can prove more advantageous. The clandestine nature of such attacks and the timing of their execution not only accomplish intended objectives, but provide a level of obfuscation and plausible deniability for the attackers.
A more thorough investigation of the USS John McCain will hopefully yield findings that will determine the cause of the tragedy. But the fact that maritime vessels – including those of the U.S. Navy – are on hostile actors’ target lists cannot be understated. With 320,000 active duty personnel and 274 ships (of which more than 20 percent are deployed across the world at one time), ensuring the integrity of systems and logistics is crucial to the success of its mission. Acknowledging its security situation and where there needs to be improvements is a step in the right direction but there needs to be a comprehensive strategy from the top down to start to address these existing shortcomings before they become a real problem. If they haven’t already.
In late July 2017, hackers referring to themselves as “31337” initiated a campaign that posted sensitive personal data on Pastebin, an online bulletin board where hostile actors have been observed dumping sensitive information for public consumption. The group released a 32 MB file titled “Mandiant Leak: Op. #LeakTheAnalyst,”claiming that the data was taken from a senior threat intelligence analyst at a well-known computer security vendor. The company has asserted that none of its internal networks were penetrated by the hackers, although three corporate documents and two customers were exposed via the victim’s personal social media accounts.
Dump posted on Pastebin
The threat analyst’s online credentials had been released into the wild as a result of eight data breaches of third parties that had occurred previously. Any evidence of corporate compromise, such as screen grabs that purposefully intimated a network breach was manufactured, according to a company statement. Regardless, according to news reports, company stock felt an immediate impact, dropping 5 percent after the incident was made public.
Private security companies have gained prominence for their efforts in detecting and identifying hostile cyber activity, particularly those perpetuated by suspected nation state or state-affiliated actors. Notably, another private company – and not the Federal Bureau of Investigation or the Department of Homeland Security – led the mitigation and remediation efforts after the 2016 breach into the Democratic National Committee networks. Indeed, law enforcement and private sector companies are proving to be a positive collaboration. Private sector companies have the resources and connections to proactively report criminal activity and support investigations with digital forensics and malware reverse-engineering. In several instances, both groups have joined forces in an effort to disrupt cybercriminal businesses with ransomware connections.
However, this recent incident is notable as it is one of the first instances where hostile actors have deliberately targeted security and intelligence analysts at private security firms with the intent of revealing their identities for further damage. In its post advertising the LeakTheAnalyst Op, the group’s motivation is rooted in revenge.
“In the #LeakTheAnalyst operation we say ****
the consequence let’s track them on Facebook,
Linked-in, Tweeter, etc. let’s go after everything
they’ve got, let’s go after their countries, let’s
trash their reputation in the field. If during your
stealth operation you pwned an analyst, target
him and leak his personal and professional data,
as a side job of course.”
In essence, it may be a harbinger of things to come where hostile cyber actors are seeking to turn the tables on their white hat counterparts.
From a larger perspective, companies must consider the negative ramifications of the doxing of their employees and how that potentially affects company branding. Take for instance the unfortunate events surrounding DigiNotar. In 2011, DigiNotar’s system was tricked into issuing more than 500 fraudulent digital certificates for top Internet companies. This caused such severe damage to the company’s image and business that confidence was unrecoverable. The company ultimately went bankrupt.
While the group intimates that more doxes are to follow, there is some skepticism that the group will or even has the skill set required to conduct more sophisticated attacks to exploit systems and retrieve more sensitive information. The fact that it appears the group gave off the false impression that it had compromised the company’s networks certainly suggests they may have limited capabilities in this capacity.
While the incident demonstrates that even security professionals are subject to targeting and victimization, the greater concern is whether this will be an isolated incident or the beginning of something more serious. Media attention given to private sector computer security firms in exposing advanced persistent threat (APT) actors or cybercriminals operating in the dark web has certainly gotten the attention of these groups and individuals. With the recent targeting, it now has placed them in the cross-hairs of at least some of these same entities.
It is uncertain if the publicity this incident has generated will entice other more skilled hostile actors – such as APT-affiliated or nationalistic actors – to join in the crusade. Several suspected APT actors have been “outed” by private security companies, and ongoing coverage has negatively highlighted the activities of patriotic hackers (e.g., the distributed denial-of-service attackers observed against Estonia in 2007, and against U.S. banks during Operation Ababil), and recently, those of Russian Internet trolls during the 2016 U.S. Presidential election. Where aggrieved unsophisticated hackers pose at most a modest threat, a more motivated and advanced actor set seeking revenge on the very organizations that have established their reputations from their exposure is a different adversary altogether. Attacking brand image and eroding public confidence puts security company solvency at risk.
A bugle has inadvertently been sounded; it remains to be seen if that call is answered.
On June 27, 2017, the Cyberspace Administration of China (CAC) released its National Cyber Threat Response Plan to help bolster its cyber security posture. According to news sources citing a document posted on the CAC website, the Plan includes a four-tier color-coded warning system that ranked the severity of cyber attacks Red (the highest level), Orange, Yellow, or Blue (the lowest level).
On May 11, the U.S. President’s Executive Order (EO) “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure” was finally signed. This long awaited EO comes on the heels of leaked earlier versions throughout the first part of 2017. Each subsequent leaked iteration – a draft was published by the Washington Post in January, a revision was published by the Lawfare Blog in February, and the most comprehensive iteration was leaked in early May and also published by the Lawfare Blog.
First announced in 2015, the United Kingdom (UK) finally published its Digital Strategy that went into effect on March 1, 2017. Per the government’s website, the goal of this document is to provide a blueprint how the UK will build on its success to date in developing a world-leading digital economy that works for the greater good. This is particularly important given that the UK is a global capital for financial technology, which generated £6.6bn of revenue in 2015.
