CYBER THREAT

INTELLIGENCE PLAN
G LOGAN GOMBAR
8/14/2020
USD CSOL580 M7
 DEFINITIONS

• Cyber Threat
• Anything that can damage, corrupt, or steal data, or disrupt an orgs digital landscape and
presence

• Cyber Threat Intelligence

• The aggregation & analysis of info from multiple sources related to cyber threats
• Sources can be anything – forums, word of mouth, official newsletters, press releases
• Provides actionable insight into threats to the org or its interests
 THREAT ACTOR TYPES

• Organized Crime
• Groups paid by other groups to do the actions

• Industrially & Politically motivated threats

• Political spies, nation-state hackers
• Industry competitors

• Hacktivists
• Persons who hack for a social cause

• Insider Threats
• Employees who are upset with their company

• Those with no obvious motives (script kiddies, lone wolves, etc.)

 THREAT ACTOR CAPABILITIES

• Range of capabilities and methods of attacks

• Nation-state hackers have large funding, can create their own exploits
• Script kiddies are limited to premade, scripted attacks

• Potential Methods of Attack, non-exhaustive list

• Phishing/social engineering
• Exfiltrates sensitive data from the company
• Vulnerability exploitation
• Hackers can break into unpatched systems
• Misconfiguration exploitation
• Hackers take advantage of administrators not following best practices
 EXAMPLE COMPETITOR -
KONSTANT INFOSOLUTIONS
• Web application development company out of India, founded in 2003
• C-Suite
• Vipin Jain, CEO
• Manish Jain, Co-Founder
• Assim Gupta, President of US Business

• Threat Level
• Unlikely to target the company offensively
• Not a publicly traded company, so no public market value, but are still active
• Received “Top Rated” award in 2019 from SoftwareWorld
 EVENT EXAMPLE 1 – MAERSK & NOTPETYA

• Who: Unknown
• When: June 2017
• Why: Unknown, seemed to be complete destruction
• What: A Ukrainian tax software update server was poisoned with
malware. It permanently encrypted infected devices. Estimated
cost of Maersk recovery was $300 million, with ~$10 billion for
global recovery
• How: Used a public NSA tool, EternalBlue, exploited unpatched
systems. The patch to render EternalBlue useless was also public.
 EVENT EXAMPLE 2 - MIRAI IOT BOTNET

• Who: Paras Jha & associates

• When: September 2016
• Why: Financial gain, hit competing Minecraft hosts
• What: A 600k+ device botnet that could create high levels of DDoS
traffic; it accidentally knocked Amazon offline & intentionally knocked
multiple targets (Minecraft hosting servers) offline for days at a time
• How: Using IoT device factory default username & passwords, it
infected devices around the world. Changing passwords from the
factory default would have prevented this.
 EVENT EXAMPLE 3 - WANNACRY

• Who: Unknown
• When: May 2017
• Why: Financial gain, malware demanded ransom
• What: Encrypted computers & demanded ransom. Hit high-profile
networks, British National Health Service and FedEx.
• How: Used a public NSA tool, EternalBlue, exploited unpatched
systems. The patch to make EternalBlue useless was public.
 RISKS TO THE COMPANY

• Phishing/Social Engineering
• Exfiltrating sensitive data via social engineering is a risk to every company
• Can happen via multiple mediums – in person, email, phone, etc.

• Unpatched systems
• Have known vulnerabilities, are liabilities

• Default/weak usernames & passwords

• If the login info is default, anyone can log in and compromise the device
• Weak passwords can be easily broken, making them irrelevant
 RISK MITIGATION - PHISHING

• Red Team Social Engineering

• In-house attempts to exfiltrate sensitive data from employees
• A minimum of one scenario per quarter (4x yearly)
• Target a small set of employees each time

• Phishing Familiarization training

• Once during in-processing, twice (2x) yearly after that
• Elaborate on advanced phishing techniques, show give away signs
 RISK MITIGATION – PATCHING & PASSWORDS

• Patching Process & automation

• EternalBlue exploited unpatched systems
• Review critical security patches w/in 3 days
• Apply patch enterprise-wide w/in 7 days with automation
• Engage in weekly automated security patch scans of the enterprise
• Implement SolarWinds products enterprise-wide in 90 days

• Password Audits
• Mirai botnet used factory default passwords for networked devices
• Quarterly password audits and minimum requirements help avoid this
 RE-EVALUATE REGULARLY

• Creating a process is time- & effort-intensive

• Organizations often will create it and never touch it again

• This CTI Plan will need to be reviewed twice a year

• Ensures it is keeping up with company changes, given we are a small team
• Ensures it is keeping up with the changing cyber security world

• The Red Team, Patching, & Password Audit processes will need to be reviewed
quarterly to ensure they meet the target