Crane Hassold: So What? Why Threat Intelligence is Important in the Age of Social Engineering
Show transcript [en]
[Music]
[Music] all right thanks everyone for uh for for attending my presentation today um you know i really love presenting at b-sides conferences because of the audience the mix of individuals that come to these conferences it's it's you know it's it's an audience that i like talking to because it's very different than actually my background so you know so my name is crane hassell i'm the director of threat intelligence at abnormal security where i oversee a team of researchers that look at you know enterprise focused phishing threats but my background isn't actually technical um you know prior to moving over to the private sector in 2015 i was with the fbi for 11 years and most of that time i
spent in the behavioral analysis units in quantico virginia where i did some violent crime profiling and then with a couple other folks actually created the fbi's cyber behavioral analysis center which takes those concepts that have been used for decades in the violent crime profiling space and applied them to cyber threats inside the third actors uh to look at them at a completely different perspective and so my background is actually not technical it's more human behavior psychology and intelligence based and what i'll be talking about today is you know how we can as an industry take the technical components of what we do on a day-to-day basis and how we report things and make it more effective uh from a for
for a wider audience and you know as we go through this presentation we'll talk about intelligence but then we'll also talk about some some applications of intelligence that we can use to look at you know different types of attacks not just malware attacks but also more pure social engineering attacks like business email compromise and look at some interesting sort of intelligence collection methods around that so with that i will go ahead and get started and so we'll kick off this the presentation we're just looking at you know how we as an industry tackle the problem of of intelligence and what we report and how we report it and how it is really a challenge from a
communication perspective and how we want to get information out to the right people you know as an industry we do a lot of reporting on malware you know i was just you know a couple days ago getting this slide together you know just looking at some of the various uh technical analyses that have been rep you know that have been written over the past couple of years this is just really just a a handful of them but we do a lot of reporting on on malware on other technical artifacts that we find in in an attack that we see and you know it's it's all well and good but what is it what does that really
contain what are these what do these reports usually contain you know many times they include things like you know just binary execution analysis source code of the malware looking through a walkthrough of functions processes strings uh you know an overview of the debugging and disassembly process that was gone it that went into you know analyzing the malware reverse engineering the malware you know a in a detailed description of various technical exploits that were being used you know a look at the shell code um you know going into detail about some of the files and keys that were created looking at network behavior and defensive mechanisms of the malware and you know for a very specific audience
this may be relevant and may be useful but it is a very very small population of analysts that can actually follow any of this you know at the end of the day we got to think up think to ourselves so what you know that's part of my the title of my presentation and when it comes to intelligence so what is the question that we need to be asking ourselves continuously to answer why am i reporting this who am i reporting it to and what value will they get out of what i'm reporting and if you can't answer the question of so what then it's quite possible that whatever you're reporting is going to be relatively useless
and so the biggest problem with malware analysis today is that the general public who should be ingesting a lot of what we're sending out really can't understand any of this now the purpose of external reporting is to inform a wide audience about certain threats so that defenses can be implemented um for more proactive uh proactive uh uh protection you know at the end of the day the way i think about malware and the technical components of cyber attacks is you know they're quite frankly secondary concerns if i am analyzing malware that means i'm already looking at the second third fourth stage of an attack and everything else that came before it has already happened you know there are some more
pressing issues when it comes to understanding cyber threats that i think are a little bit more important one is preventing the delivery to begin with you know what actually happens before bow where is executed how is it being delivered what's the infection vector and usually that infection vector in most cases it was going to be non-technical and most of the most the time that's going to be delivered through social engineering through phishing or something like that and then another sort of primary concern about uh cyber attacks when it comes to malware is what's the potential impact of us of a certain attack what happens after that malware has been executed and this is something that you know
executives and stakeholders really want to know like if i am you know infected with malware if my network or some computers are infected with malware what am i act what's actually going to happen how is it going to impact uh the organization and my business you know what is the financial impact what types of data loss and exfiltration might might happen what's my potential corporate corporate exposure to uh to these types of to these types of attacks and things like that and as we go through this we'll see some of the additional examples of you know the questions we should be we should be asking ourselves when we're doing more technical analysis that will allow us to
answer these types of questions and not just focus on you know technical artifacts so for everyone who's listening you know right now i want you to think about a bank robbery in progress think about what that looks like visualize a bank robbery that is happening it might look something like this it might you know a guy comes into a bank is going to rob the bank you know he he's obviously holding a gun he has some a hoodie in the glove some sort of facial masking i don't know if this is uh a trash bag or what but he's got something going on that's hiding his face and you know this is you know one of you
know a ton of different possible examples you might be thinking of when it comes to a bank robbery in progress now to associate that with what we do a lot of times with more technical analysis and malware analysis what we're doing is we're taking this attack which is this robbery and we are hyper focused on the weapon we're hyper focused on the malware we want to know everything about that malware you know in as detailed and as granular as we can possibly get and when it comes to malware analysis many times this is what we do and we've completely ignored everything else that's going on in this uh in this scenario in this attack and so
when we look at this and we look at this example of a bank robbery and we think about the investigators that are going to be looking at these attacks do they really care about the intricate details of the weapon that's being used in the bank robbery no they absolutely do not do they care if a weapon was used or maybe even what type of weapon was used yeah they probably do but they don't need to go into the granular details of that weapon in order to uh precede their investigations some of the things they really that investigators really want to know are things like who robbed the bank what was the bank robber wearing when
was when was the bank robbed what did why did the robber choose this bank what defenses if any did the robber have to overcome in order to make this robbery happen how was the robber behaving during this robbery and have there been any similar robberies in the area and then also how much money was actually stolen as a result of this robbery and when it comes to these questions they're all linked to various basic you know things that we're looking for when we're doing intelligence analysis whether it's attribution a general description of the threat temporal uh indicators around the attack uh motivation and behavioral characteristics you know preparation of the attacker before the attack uh the
overall sophistication of the attacker whether we can link this attack to any other attacks and the overall impact which i mentioned a little bit a little bit earlier these are the things that we really want to know and this helps us better understand the bigger picture when it comes to threat intelligence so i've mentioned threat intelligence a lot uh but let's go into detail what is threat intelligence because it's one of those terms that is misused all the time in our industry um when we're talking about cyber attacks and the analysis of those attacks so when it comes to what threat intelligence is these are the general principles to think about when it comes to threat intelligence it helps you
understand the bigger picture now i'm not just focused on a singular thing or a singular tool or singular behavior but i want to better understand how that thing associates to the overall threat landscape it's enriched with additional context so one of the things when you talk about intelligence you're also hand in hand and generally going to be talking about analysis intelligence is data that has been analyzed and with that with that analysis comes comes the fact that we are providing some additional context to answer that question of so what for our audience it's actionable and it's timely so that means that when i'm looking at intelligence you know if it's just again going back to that so what question
there has to be a reason that i can take this intelligence and apply it to what i'm doing on a day-to-day basis and it's not just something that just sits there and i can't really ingest or do anything with it and it also has to be timely if it is something when we get into something like iocs and threat data then we really start talking about the timeliness of of quote-unquote intelligence and data in the fact that many times when we're talking about intelligence and people disseminate quote-unquote intelligence they're providing data that is essentially stale by the time it gets to the recipient and it makes that data you know quite frankly useless and then it also allows us to uh enhance
our proactive defenses you know with with threat intelligence it goes back to understanding the bigger picture it allows us to more proactively you know look for attacks identify attacks prevent attacks more proactively instead of just receiving information and plugging into something like a sim and then detecting attacks that are already coming in or have have already come in so let's talk about threat data versus the two primary types of intelligence which is tactical intelligence and strategic intelligence so i mentioned threat data on the on the previous slide and usually when you see a threat intelligence feed it is generally going to be something like a threat data feed that consists of iocs and other you know
very basic data things like urls or ip addresses things like that and when you look at threat data like that it has a very short life span meaning that by the time it has been inserted into that feed and has been received by a specific audience the overall usefulness of that data has likely already passed and if you think about that the reason for that is a lot of data that comes into those feeds has been identified and collected in in attacks that have been confirmed as attacks that have already happened and so there is no proactive proactive detection there it is simply regurgitating the data that has been collected from known attacks now also primarily threat data feeds are
going to be consumed by applications rather than uh rather than by actual individuals or analysts they're going to be go in ingested directly into a sim or a sore uh to to uh to easily look for specific uh pieces of that data it also helps us associate specific individual attacks and not cannings as a whole and as i mentioned it helps improve retroactive detection so attacks that have already happened but it doesn't really help us without any additional analysis or intelligence actually improve any proactive detection down the line compare that to things like tactical intelligence and strategic strategic intelligence now these are the two primary types of intelligence that you might see on a regular basis and they're
very different and consumed by different uh different analysts for different reasons so tactical intelligence is more specific and relates to ttps tactics techniques and procedures around a threat group or a threat campaign that extends to more than just a single attack but will extend to uh signatures or characteristics across a a group or campaigns uh multiple attacks now this is gonna be intelligence that's generally going to be consumed by practitioners by the actual analysts that are that are trying to defend their environments and this is what really helps us improve proactive detection if i can't identify general characteristics that are used by the by the threat actors then i can start writing new rules like yara rules
that can identify attacks before they've been identified anywhere else and so i'm not just relying on specific threat data now i'm sort of looking at the bigger picture there and then you have strategic intelligence and this is really big picture stuff when we start talking about strategic intelligence because this is more global in nature this is looking at trends within the threat the cyber threat landscape to understand what's actually going on to understand an overall risk level not to not just to my organization but maybe to my industry as a whole and you know for for global attacks and this is going to be intelligence that is initially going to be created by a an analyst but really is going to
be the audience for strategic intelligence is generally going to be for decision makers executives and stakeholders that are going to be uh going to be actually implementing and driving policy that will help secure my environment moving forward at a much higher level so that's an overview of uh of you know what intelligence is what threat intelligence is so let's talk about you know malware and malware analysis versus intelligence analysis what the difference is between the two and how we can sort of merge the two of them together into something that will actually help you know a much broader audience so when it comes to malware analysis and intelligence analysis this is essentially an interesting battle that's
been going on for quite some time as to which one you know which one is is helpful for which audiences and really when you when you look at malware analysis and intelligence analysis it really all comes down to training you know malware analysts reverse engineers their training what they're trained to do is to hone on a specific you know a specific piece of malware specific file and dig deep into that file and learn everything we can about it it is hyper focused on the thing and understanding more about that thing whereas intelligence analysts are trained to look at that bigger picture to understand how different pieces fit together and to use that intelligence to understand different trends and what's
going on in the threat landscape so what we need to do moving forward is figure out a way to really turn malware analysis into malware intelligence analysis and this will actually help us reach that broader audience and make a lot of our more technically sophisticated reporting more ingestible by a lot more people and we can do that there are essentially four specific uh components to malware intelligence analysis and you know various questions we should be asking ourselves as we're doing our analysis of certain malware when we're writing up our our our findings and things like that and this is in no way shape or form sort of uh conclusive of all the questions that we should be asking ourselves
there's simply a uh uh a sampling of some of those of some of those questions just to get you just get you thinking about it you know so when we're talking about preparation when i'm trying to communicate from a malware perspective uh how how an audience how the people who are reading my analysis should be using this information to prepare against future attacks essentially what i'm trying to communicate is what do i need to know in order to protect my users against a threat whether my my audience is internal or external you know what is the initial infection vector are there specific vulnerabilities that are needed to be patched to protect against uh this specific threat
who is the likely target of these of of this threat you know what is my overall risk level for this threat and should i prioritize certain threats over others so when we're talking about preparation these are some of the questions that we should be talking about now then then we move from preparation to detection so you know outside of just preparing for an attack because obviously we can't prepare for every single attack now we want to get into know if you know how can we better detect any attacks that that have sort of bypassed our initial defenses and so this is the questions that we're asking here are what do i need to know to proactively
detect a potential attack and that proactive uh component is extremely important here you know things like what types of suspicious behaviors should i be blocking uh or alerting on what are some primary characteristics or ttps of a specific type of threat what high value systems or applications uh is a threat likely to to exploit and then once we get to the next part is is responding so now we're talking about uh you know if a threat has gotten through my defenses and i wasn't able to detect it and you know something has happened how am i best what do i need to know to more quickly remediate a successful attack i want to know what
threat is this what actually what actually owned me at the end of the day how do i contain a specific threat and fully mitigate that threat uh what artifact should i be looking out for what evidence can be collected in order to be used in a specific investigation and you might notice this is where some of those more granular characteristics of malware can really come into play because a lot of what we're reporting in malware analysis are things like what types of artifacts will will malware leave on a system that we can collect and identify that will connect us back to uh to that malware and then the final stage here is you know once all this has been done
um you know it's all about reporting so if if we're talking about if an attack has gotten through our defenses wasn't detected we responded to it we still need to report back up to our stakeholders to let them know more about this attack and that includes things like what was the overall business impact what do we know anything about the actors behind this attack is is this activity similar to anything else that we're seeing out there or what others are seeing and then is there any actionable intelligence that i can take from this incident and provide it to to other people so they can you know better prepare detect and respond to their attacks and so these are just some of the
questions when we're talking about intelligence analysis when you're doing your technical analysis to to to think about as you're going through your reporting cycle and this is very much a cycle when you hear when you talk about intelligence you know you'll very you'll many times hear about the intelligence cycle and this all goes back and forth over and over and over again it's not just one singular thing it's all about specifically going through the cycle and once it's been reported take what you've reported take what you've learned to enhance your preparation detection and response going forward and taking what other people have have reported and doing the same thing there it's very much a cycle
and so we've talked about a little bit about sort of you know malware analysis as an industry how we've you know how we've treated our analysis how we can improve it uh using some more uh more strategic intelligence uh uh tactics and then also you know talking more about what threat intelligence is as a whole but i want to shift gears a little bit here and wrap up my presentation with you know how we can use some unique uh intelligence collection methods to better understand the full cycle of social engineering attacks like bec and so you know just to to level set you know when we talk about what business email compromise is bec is very much one
of those terms that has been uh used by many different vendors for with many different definitions it's very much turned into like today's apt um that that means a lot of different things to a lot of different people you know when i talk about bec essentially what i'm talking about is a spearfishing attack that involves the impersonation of a trusted individual or entity that tricks an employee into making a financial transaction or sending sensitive materials uh and persuading them to do that and that can be done generally speaking by one of two high-level methods one is by spoofing and that can either be by you know spoofing the display name of the the individual that's being uh impersonated
or by directly spoofing the email address as a whole and then there's also the compromise side side of things things like vendor email compromise have become extremely common today and what are the you know most damaging subgroup of of bec attacks today and that's where a uh an email account has actually been compromised and intelligence from that email account has been used to target you know other uh other generals going to be customers of a vendor or a supplier and you know when we think about why bec has become such a problem over the past really five or six years you know there are three primary reasons for this one is you know traditional defenses have
primarily focused on more technically sophisticated threats you know email email defenses that have been around for multiple decades at this point you know they came up they came about looking for malware their whole drive was to defend against malware and cyber criminals have you know has figured this out and they've shifted their tactics to to become much more lo-fi where they are you know not using malicious links or malicious payloads and just using pure social engineering to commit their attacks things like basically is a great example of this you know where you had a threat group that was primarily delivering malware through emails and now is go taking the time to have no no payloads no attachments in
there in their email campaigns and they're trying to get uh employees to call a call center to then get them to download malware completely separately from the initial communication you know also bec has a much higher return on investment or roi than other types of cyber attacks and if you think about this from a business perspective because this is a really good way to think about cyber attacks because for the most part most cyber threat actors are going to be financially motivated so it's all about the money and what they're trying to do is maximize their return maximize their profits and so when you think about what's required in order to to send out a bec campaign
there's very little overhead that's required to do it essentially you're identifying targets and you're sending out emails that's essentially what you're doing and you know one of the things that i've been thinking for a while we started to see this coming to fruition uh really you know over the past couple of years was you know at some point the eastern european and the s and the russian cyber criminals are going to start thinking to themselves you know why am i spending all of this time and money you know hiring developers for my malware setting up infrastructure when i can just send people email tell them to send me money and they'll do it you know we've started to see some
more sophisticated actors in those regions in places like eastern europe russia and even israel start to enter the bec space likely because they've realized that the overall work that's required in order to make essentially a very similar amount of money um is is much less and so that's one other reason why we're seeing uh bec attacks uh become such a problem and the final reason that bec has become an issue over the past five or six years is really social engineering at its core is extremely effective you know as long as human beings have been on this earth we've been socially engineering each other the only difference is now we're doing it over email instead of doing it
face to face or over the phone or uh or through the mail the same principles that have been used to con people for literally thousands of years uh are the same principles that are used today um because it is very effective and it's very difficult from a human behavior perspective to turn off some of those you know ingrained uh ingrained reactions and reflexes things like trusting what you see in front of you um it's very difficult to turn those off uh because because as human beings we're you know we're led to our initial instinct is to look at something and trust it unless there's something else that will uh that will cause us to go
against that so at its core social engineering is extremely effective and so you know we talk about talk about bec the two you know the two primary cyber threats today that most people think about are bc and ransomware and you know i created this table to really compare and contrast the two because quite frankly they're on completely saw completely separate ends of the cyber threat spectrum you know both of these attacks are primarily financially motivated uh bec is almost exclusively financially motivated ransomware the same thing with the exception of a very few attacks wannacry and not petya that we saw a couple years ago are great examples of those but for the most part most a vast majority of the ransomware
attacks we see today are financially driven but other than those similarities everything else is very very different you know bec is almost exclusively delivered through email and ransomware today while it used the initial infection vector used to be email now that has almost completely changed now there are a variety of different attack vectors for ransomware while uh email is a is an indirect uh vector of attack and what i mean by that is usually ransomware is not directly delivered through email today it's going to be delivered indirectly so there's going to be a compromise through other types of malware trickbot's a big one that we're seeing these days where there's an initial infection of a computer or a
network and that initial that initial access is then exploited later on down the line to deploy malware but then we also have things like other web applications you know insecure web applications password reuse on on applications like rdp and vpns that's what we saw earlier this year with colonial pipeline and jbs um so so ransomware has really shifted away from email becoming a primary attack vector and to a sort of a wide variety of other types of vectors you know bec as we talked about on the previous slide frequently bypasses legacy email defenses where ransomware today is usually going to be detected by a lot of those email defenses um again because that is essentially what email
defenses most of those legacy defenses have been trained to do ransomware gets all of the attention when you think about what the media is reporting on from from a cyber threat perspective it gets a lot of the attention because primarily it's highly visible because ransomware because of what it does if it is deployed on a centralized network like we just saw this past weekend with sinclair it's going to have an actual noticeable impact um by uh across the board and you know it's not very it's not it's not invisible whereas bec is usually not going to be public um because of the nature of bec attacks those are generally not going to come out and no one's going to realize
that they've actually happened unless it's going to be something like a state or local government that has a requirement to report them or if it's part of a legal document and in that case it might it might get out there another difference between between bec and ransomware attacks are you know it's interesting when you talk about bc they are very highly decentralized actors that are coming from places like west africa mainly nigeria and what i mean by decentralized is there there are a literally thousands of these actors out there and there's a very loose organizational structure that connects all of these actors it's not something like a very strict hierarchy like what we see with a lot of eastern european
and uh russian cyber criminal organizations where that is more centralized where there is a sort of a strict hierarchy and especially with things like ransomware as a service you have a relatively small population of actors that influence a vast majority of the overall ransomware threat landscape which means that if some of those actors are taken out of play our evil is a great example of literally just happened um then then you can actually make a a noticeable impact in the in that threat landscape whereas you have some with bec where you could arrest hundreds if not thousands of these actors and you would make a very very very small dent in the overall threat landscape because they're
decentralized and then you look at like the the the threats that are posed by each one of these again ransomware is the one that gets all the attention but when you look at the fbi's ic3 report that came out earlier this year you know it's you know it showed that last year 19 000 bec attacks were reported compared to 2000 ransomware attacks and then the amount of financial loss is 1.9 billion dollars for bec compared to 29 million dollars for ransomware and you know people will always say that there's under reporting involved and that no with ransomware incident response is not included in that 29 million dollars and i don't know i'd say that it's the same thing goes
with bec there's remediation involved there and that cost isn't isn't isn't calculated at 1.9 billion dollars and they're also very underreported and so that 19 000 that 19 000 number is also quite low and while ransomware obviously is a threat to businesses i think when it comes to overall what enterprises you know should be concerned about everyday enterprises all around the world i don't think it's a question that bec takes the cake and dwarfs ransomware in the overall threat that it poses to most organizations out there and that's what my team does at abnormal is we you know we want to better understand bec threats to understand not just the the threats themselves but the
full cycle of these attacks you know what happens after these attacks are successful and so you know one of the interesting aspects of bec that we don't see with other types of cyber attacks is that in order for it to be successful it requires interaction with a victim there actually has to be communication between a target and the attacker in order for the attacks to be successful because you know the attacker has to respond and say you know i want you to make a payment to this supposed vendor and so on and so on and so that communication has to take place and this is really where you know when we talk about unique intelligence
collection methods this is where we can sort of use uh collect some unique intelligence using some some interesting tactics and i think one of the things to think about is when it comes to intelligence collection it doesn't always need to be passive we don't always need to be simply taking uh taking what we're seeing within our environment that's hitting our environment that we're stopping and stopping there right we can go beyond that and start collecting some additional intelligence that helps us better understand the threat as a whole and not just essentially taking what the attackers are giving us and so this is you know this is what essentially what what we call active defense and the definition that i use
for active defense is interacting with an attack or an attacker for the purposes of collecting intelligence that helps us better understand the full scope of an attack that could include things which you'll see here on the next few slides like engaging with bec actors seeding fishing sites embedding beacons in those communications that gives us some some rough geolocation information on the actors or things like setting up honey pots so when we talk about response based attacks i want to run you through a very brief example of how some of this intelligence collection uh could go so let's say we have a let's say we have a bc actor that's going to be impersonating uh one of our one of our
our ceo or another executive and they simply send an email saying i need your help with something are you available now if we're doing passive passive collection this is all we have we don't have anything else to go on we don't know anything about the motivation we don't know what they're looking for we don't know what tactics they're going to be using we don't know anything else about this actor this is really all we have and so when it comes to response based attacks one of the things that we can do and there's one of the things that my my team does every single day is we've actually built a population of personas that we
use to engage with these bec actors that helps us understand the full cycle of these attacks and with that we can take we can use uh one of these personas and say something like oh yeah mr ceo happy to help what did you need to which they'll say uh we have a pending payment that needs to get sent out urgently could you could you kindly uh process that payment to the beneficiary get back to me asap so now we know more about what the overall motivation is what the what this actor is actually looking to do uh in this attack to which we at least in the response saying of course not a problem just go
ahead and send me the beneficiary account details and i'll take care of it to which they send us a mule account that they want us to to wire money to um and so that this gives us a little bit more context and information now we know a fraudulent account that we can pass on to to financial partners to get those uh flagged or shut down but of course we're not going to actually send them any money so we may some say something like i'm actually getting a message that says this account is unable to receive incoming transfers at this time uh could you check on that and see what's going on to which they say oh you know what just looked like
you looked into that sorry for the inconvenience maybe you could try this beneficiary account instead and kindly get back to me when the payment has been sent so now we have another mule account and this really goes round and round in circles um really until these engagements extinguish themselves you know in some cases what we do is we'll actually send them fake fake confirmation receipts to say oh look this payment has gone through do you have any other payments that need to be made and many times they'll say oh yeah we actually do have another vendor that needs to get paid here's another payment that needs to go out and so again this helps us much better understand what
happens after a potential bec attack is successful and we're not just relying on uh on that initial message now similarly we can do something similar for credential phishing attacks and this is something that my team has been working on um for a while now using a lot of the same concepts and principles to help us better understand what happens after an email account has been compromised so in this what we do is we you know build out a population of personas and infrastructure of legitimate personas that are hosted on microsoft office 365 that we actually use to seed into enterprise-focused phishing attacks things that are that are uh that are impersonating dropbox docusign microsoft office adobe things like that
and what we're able to do is once we uh once we seed those credentials into those phishing sites we're then able to monitor those accounts to see what happens after they've been compromised and we can better understand things like you know how quickly are accounts access where are they being accessed from uh how is the account being accessed and then also how how is the actor using the account are they pivoting to other applications what are they trying to go after um once they once they've gotten access to these accounts so they're going to use it to collect intelligence are going to set up forwarding and redirect rules are they going to use it to start spamming out a
whole bunch of other phishing phishing emails to other to other users you know it gives us a better understanding of an attacker's behavior within these accounts and so with that um that's all i've got for you today um i really appreciate everyone being here um so i hope i know as i mentioned at the beginning of this presentation i i love giving talks at b-sides because of the audience um that that usually comes to these if anyone has any questions you know i have my contact information is on the screen here um feel free to email me hit me up on twitter um and i'd be happy i'd be happy to chat um with that i'm going to
uh close this you know you know as we're you know waiting for any potential questions i will say you know one of one of the interesting uh absolute questions i'll answer in a sec from a from a law enforcement perspective you know i mentioned this a little bit earlier about um about how effective law enforcement is in combating cyber threats and this is a question i get a lot and i think it really depends on the type of threat you know when it comes to as i was talking about the sort of differences between ransomware and bec um it really comes down to the centralization of certain threats you know when you look at ransomware today
when you have law enforcement operations like we recently saw and you have a majority of ransomware uh attacks coming you know coming from a small number of of of groups i think right now a little bit more than half of all ransomware activity we see today is either through lock bit or conti or even uh uh or even what was our evil so when you take one of those groups out of play that really and none of the affiliates can then actually use any of that any of that uh uh any of that malware at that point then you've really impacted the threat landscape again going back to to bec i think law enforcement is doing as good
of the job as they can but it is very difficult to make a an impact in the b you see throughout landscape simply through law enforcement because they're essentially simply a volume game there are so many actors that are not associated with with one another and just because you you've arrested 10 of them me doesn't mean that that you have sort of trickled down to making an impact across your across across the way so adam had a question about you know why do email filters suck at identifying ptc and what can we do about it i mean that's that's a great question i mean that's been the the ten thousand dollar question uh that we've been asking i
mean that that's why companies like abnormal security that's why we exist initially was to solve that problem because most legacy email offenses have been more focused on sort of signature based uh detection versus behavioral or content-based detection and when you have actors that aren't using that are essentially only using text to try to persuade an employee to actually try and manipulate them to do something then it's then all that all of that signature-based detection is really worthless because of how it works and so i agree with some of the some of the things that um uh that all some of the things that i've put in the in the chat things like regex and you're not like if
you this is also goes back to uh uh tactical intelligence as a whole and looking at the behaviors of these attacks because when you do have when you start looking at bec attacks at a larger scale you definitely start seeing some patterns in how they uh and how they they write and how they operate a lot of these groups are using templates things that they call formats which are essentially uh scripts that they use for the initial and you know next two or three messages that go back and forth to an employee and so if you understand those uh those patterns then you can start reading writing some some uh some some better rules that will be able to detect
those um in mass more proactively um and yeah there are certainly services out there like abnormal that do that you know that are built uh for specifically detecting social engineering attacks um and again i'd be happy to chat with anyone who's interested in those um another question from from adam are you seeing bec starting to transition into unfiltered communication mechanisms such as sms or the attackers still sticking email so right now the only examples that i have seen of btc actors pivoting to sms has been has been almost exclusively actors that are requesting gift cards um a lot of bc actors today when they're trying to get an employee to uh to uh to go out and buy gift cards
for them which still illogically is is about 50 of all btc attacks or requesting gift cards a lot of those either come directly to sms or try to immediately pivot to sms right after the initial email the reason for that is because then the employee can simply go directly to a store buy the gift cards take pictures of them with their phone instead of directed to the scammer so there's an efficiency angle to it but outside of that i haven't seen any widespread examples of uh of um i haven't seen any widespread examples of like wire transfer bec attacks vendor email compromise attacks or you know payroll diversion no pivoting to any other mechanisms that
being said i have no doubt that as you know our cloud environments uh evolve and grow i think that there's it's definitely going to be you know inevitable that other communication platforms things like slack or teams will eventually be the target of cyber criminals and social engineering attacks that we don't see you know at a large volume today um so sarah asked a question of i heard there is now there are now ransomware kits to help people get started and the distributor simply asks for a cut of the profits uh can you speak towards this yeah so that's essentially what's called ransomware as a service today where you have the primary actors that have created the
malware they may even uh you know provide access to a portal or a dashboard that will allow affiliates to to track their campaigns as they go out um usually when that happens you know each affiliate gets their own key and so that's you know that's that's essentially how the the primary actors are differentiating um one affiliate from another affiliate and that also means that you know once uh that also means that an affiliate only has a certain amount of time to be able to to use um that ransomware and usually they're getting absolutely right either a cut of the ransom or an upfront cost um that uh that they're going to be sharing with the the primary actors but
essentially what ransomware as a service does is it lowers the overall um uh entry entry the barrier entry for a lot of these less sophisticated actors to get into the ransomware ransomware space but at the end of the day you still have those primary actors that if they were if the primary actors weren't there then the affiliates wouldn't be able to do what they do and marcie we saw five minutes is that right we do the room will stay open as long as there are still people in it so if you would like to continue taking q a you're more than welcome to perfect um so another question from sarah you know i've noticed a lot of btc formats are
effects faxed message what are the threats what are the threat actors using this practically outdated technology as a format you know uh that is a fantastic question sarah and it's a question that uh that you know me and my team ask all the time you know the the a lot of those credential phishing messages that get out there are you're absolutely right efaxes or void you have a voicemail that's waiting for you um i don't exactly know why they're still using that um i can tell you that you know the logic behind it is very similar to what i think about when it comes to uh to gift card btc attacks you know it from a logical logical perspective
it makes it it's really difficult to think man these guys must be making a ton of money on gift card btc attacks you know their success rate can't be that that big why do we still see this happening and it's we're going on now two years of gift cards being the primary thing requested in btc attacks but what i can say is because these attacks are financially motivated their the roi for the attacks must still be there or else they would have pivoted to some other tactics and so it must be the same thing with these efax and voicemail messages that the success rate for them must still be there uh in order for the return to be good
enough for them or else they would have you know tried some other you know very other types of lures but that's sort of you know that the why behind things like that is really difficult uh to answer but it's a really good question and then i'd say so so adam has another question uh uh ransomware as a service uh took us by surprise might be see as a service become a reality um you know we've got our evil why not beat you see evil uh i i do think that we are coming up on that you do see in some in a very few uh underground forums there are some there are something similar when it comes to
the initial um initial compromise at uh initial compromise of uh of mailboxes whether it's going to be either selling access to mailboxes that are going to be taken over and used for vendor email compromise attacks or something similar to where an actor might run the initial credential phishing campaign and provide uh an affiliate with the the compromise mailboxes that are that are captured from that campaign um i do think you know one of the things that i think is inevitable at some point especially because of the hyper focus on ransomware especially with the us government is that you know one of the biggest drivers of ransomware today is cryptocurrency um if it weren't for cryptocurrency
um the scale of ransomware attacks would not be possible um even even if it were be they were being requested in things like wire transfers because of the regulation that's involved and the uh and the visibility that's involved in those transactions which you don't have with cryptocurrency uh you wouldn't be able to have something like a 40 million dollar uh ransom being requested and paid in anything else other than cryptocurrency because of that i think that it is inevitable that we're going to see some uh some regulations and crackdowns coming down on cryptocurrency which i think you know in the next two three years might will likely make uh cryptocurrency not know as attractive as
a payment method for ransomware actors which will essentially have a massive uh impact in that landscape but the question is what will happen to those actors that are running ransomware campaigns today they're not just going to go away because it's all financially motivated and so they're going to have to pivot somewhere and in my opinion i think we're going to start seeing a lot of these more sophisticated actors coming out of eastern europe and russia starting to pivot to things like bec because they've sort of observed and they've seen the success that other actors are having in that space and because they're really accustomed to things like as a service uh thing uh things they run in underground forms i
think it's very possible that those will be the primary actors they're gonna be involved in those sort of like a bec as a service uh in the future cool marcie it doesn't look like we have any more questions um you know anyone who's still around thanks again for for for attending the session and uh if any other questions please feel free to to reach out i'd be happy to chat
Related talks
40:44
49:18
50:04
58:55
20:40
50:02