1

Cyber Threat Intelligence Plan

Julian Bennett

University of San Diego

CSOL 580: Cyber Intelligence

Shams Al Ajrawi

August 17th, 2020

 2

Executive Summary: Cyber Threat Intelligence Plan

Fiat Chrysler Automobiles (FCA) is among the top three US automobile manufacturers,

having a large footprint not only amongst domestic vehicle sales, but also internationally. As

such, FCA has a large electronic footprint enabling global manufacturing, sales, marketing, and

research and development. This high visibility makes FCA a large target for cyber threat actors,

ranging from criminal hackers to sponsored nation-state actors aiming to gain access and exploit

its information environment. Cyber Threat Intelligence (CTI) is a product of cyber threat

information that has been collected, evaluated for context and reliability, and analyzed through

substantive expertise (I&AWG, 2020) and is a unique and powerful tool to base all of FCA’s

future active cybersecurity initiatives on.

Federal law enforcement agencies, including the FBI, warn of known and unknown threat actors

seeking to compromise and exploit the automobile industry using various attack methods known

throughout the cybersecurity sector. The automobile industry has an extensive research and

development sector that threat actors, primarily nation state-sponsored, aim to exploit in order to

gain an upper hand in the name of corporate espionage. Their primary attack vector remains

“phishing”, where employees are sent seemingly innocent emails, luring the recipient in to

opening malware embedded in an attachment. This malware varies in sophistication and damage

and enables the attackers to executive actions on their objectives. Included in a threat actor’s

arsenal are brute force attacks, ransomware, and other destructive malware designed to destroy

or hold data at risk. Organizational risk of cyber attacks or incidents can be mitigated by

developing robust cybersecurity policies and processes. This includes the build of a

comprehensive cyber threat intelligence platform and an extensive defense-in-depth program that
 3

includes proactive vulnerability management and detailed vetting and risk assessments of third-

party vendors.

Cyber Threat Intelligence Plan

Fiat Chrysler Automobiles (FCA) is a top three US automobile manufacturer, with a large

global footprint and presence. As such, FCA has a large electronic footprint enabling global

manufacturing, sales, marketing, and research and development. Due to this high visibility, FCA

is a premier target of cyber threat actors, both criminal and state sponsored. Nation states will go

to great lengths to compromise FCA’s research and development arm and supply chain to gain

an upper hand and utilize corporate secrets for their own nefarious purposes. The aim of this

report is to assist executive leadership to understand and assess the threat facing the organization

in a modern cyber environment and provide recommendations to mitigate the risks.

Threat Actors

In a bulletin released to several private companies, the FBI warns of known and unknown

threat actors seeking to compromise auto industry computer systems using “sophisticated

techniques and by taking advantage of network vulnerabilities” (Campbell, 2019). In an

environment where the auto industry’s vast research and development arm is extensive, state

sponsored threat actors use sophisticated attacks to gain an upper hand in support of corporate

espionage. While this report does not specifically point out specific actors responsible, it points

out that the automobile industry has become a lucrative target for both nation-states and cyber

criminals (Lindsey, 2019). Corporate espionage is a widely known effort of China-based threat

actors. A major Advanced Persistent Threat (APT), identified as “APT20”, is assessed with high

confidence that it supports the interests of the Chinese government and is tasked with obtaining

information for espionage purposes (Vijayan, 2019). China-backed APTs are largely known to
 4

align with China’s Five-Year economic development plan to rise above other nation’s economies

and industries (Fireeye, 2019). This assessment directly aligns with the aforementioned FBI

report in that state-sponsored groups engage in espionage against specific industries, including

the automotive industry.

Delivery Methods

The FBI report points out that the most common attacks against the US automotive

industry are “brute force” attacks where a comprised database of users and usernames is used to

gain access to corporate infrastructure. While this is a seemingly simple attack method, it is

extremely inefficient and easily stopped by security defenses. An additional attack method is

described as a “phishing attack”, where employees are sent seemingly innocent emails, luring the

recipient in to opening malware embedded in an attachment. According to IBM’s X-Force Threat

Intelligence Index 2020, phishing remains the top attack vector in use today. A third type of

attack is ransomware, where the attacker gains access to corporate information, encrypts it and

forces the victim to pay a ransom to decrypt it, or else destruction occurs. This is particularly

relevant to the automotive industry, as the Honda Company fell victim to the WannaCry

ransomware in 2017 (Dooley & Ueno, 2020). Regardless of attack method, most threat actors

must progress through a very specific sequence of steps in order to be successful. Lockheed

Martin developed a cyber kill chain methodology to provide a framework with which to analyze

a cyber attack. It is a seven-step process that not only assists with the post-mortem analysis of

attack, but also enables network defenders to align their defenses against. (Lockheed Martin,

2015). Each phase is completed in succession as illustrated in Figure 1.

Figure 1

Lockheed Martin Cyber Kill Chain

 5

Note. Lockheed Martin Cyber Kill Chain model for identification and prevention of cyber

intrusion activity.

Risk Reduction

When threat actors attempt to exploit an organization’s network, they generally follow

the above-mentioned steps in the cyber kill chain. It is imperative that organization’s plan for and

deploy their defenses at every step along this chain. CTI can assist with anticipating this threat

and tailoring these defenses to specific threats in order to maximize efficiency and cost

effectiveness. Utilizing a comprehensive CTI solution allows for the automation of the threat
 6

investigation process and delivery of actionable intelligence reporting tailored to the

organizational environment. CTI will greatly increase awareness of threats and allows for the

proactive deployment of mitigating defense.

Additionally, as seen during many major cyber attacks, including the devastating

NotPetya ransomware attack, vulnerability management is an integral part of any cybersecurity

program (Rhysider, 2019). At the latest, patch and vulnerability management can stop the

attacker at step four of the cyber kill chain, exploitation. Exploits and many pieces of malware

take advantage of vulnerabilities embedded in outdated and unpatched software. When executed

properly, timely patching of vulnerabilities will stop the attacker from gaining access and

executing its malware.

To mitigate or prevent the attacker’s actions on its objectives, proactive threat hunting on

the network will illuminate malicious cyber activity. With the help of intelligence tools and

analysis, threat hunting is the active pursuit of attacker indicators of compromise, eliminating the

freedom of movement and preventing data exfiltration, destruction, or surveillance.

 7

References

Campbell, J. (2019). FBI says hackers are targeting the US auto industry.

https://www.cnn.com/2019/11/20/politics/fbi-us-auto-industry-hackers/index.html

Dooley, B., & Ueno, H. (2020). Honda hackers may have used tools favored by countries.

https://www.nytimes.com/2020/06/12/business/ransomware-honda-hacking-

factories.html

Fireeye. (2019). Double Dragon: APT41, a dual espionage and cyber crime operation.

https://content.fireeye.com/apt41/rpt-apt41

Intel & Analysis Working Group (I&AWG). (2020). What is cyber threat intelligence? Center

for Internet Security. https://www.cisecurity.org/blog/what-is-cyber-threat-intelligence/

Lindsey, N. (2019). FBI warning: Hackers now targeting US automotive industry.

https://www.cpomagazine.com/cyber-security/fbi-warning-hackers-now-targeting-us-

automotive-industry/

Lockheed Martin. (2015). Gaining the advantage: Applying cyber kill chain methodology to

network defense. https://www.lockheedmartin.com/content/dam/lockheed-

martin/rms/documents/cyber/Gaining_the_Advantage_Cyber_Kill_Chain.pdf

Rhysider, J. (2019). NotPetya. Darknet Diaries Podcast Episode 54.

https://darknetdiaries.com/episode/54/

Vijayan, J. (2019). China-based cyber espionage group targeting orgs in 10 countries.

https://www.darkreading.com/attacks-breaches/china-based-cyber-espionage-group-

targeting-orgs-in-10-countries/d/d-id/1336676