The Expanding Universe of Cyber Threats

um and without further Ado I'd like to introduce the keynote so uh for this morning's keynote we have Dr Xena Olsen Dr Xena Olsen is a cyber security professional focused on Cyber threat intelligence at a Fortune 100 company she enjoys discussing all things cyber threat intelligence and can be found in various threat intelligence sharing groups such as curated Intel she's a Sans women's Academy a graduate with eight giac certifications and an MBA in it management and a doctorate in cyber security with a focus in Enterprise purple teaming and without further Ado uh Dr Olson speaking about the expanding Universe of cyber threats thank you [Applause] all right just give me a couple moments to get set up here woohoo it worked I get speaker notes how exciting this is going to be a kind of rough looking at a cell phone okay so I want to do a really quick thank you to B-side San Francisco to your staff the volunteers the sponsors everyone involved this is a big event to put on so let's give them a little round of applause okay and due to timing I'm going to leave this open hopefully it stays on so that I can make sure I get this wrapped up on time all right so thank you everyone do you remember the first time you discovered something new or saw something from a different perspective well I do I was a very very small girl and I was having a hard time learning the difference between my left hand and my right hand for some reason I just couldn't tell them apart so one day a teacher came up to me and they're like hey if you look at your hand it is shaped like the letter L and right then and there my life was forever changed I never looked at my left hand the same way again and just like that those feelings of awe and Discovery and just learning something new I hope you get to reconnect with that and have those type of experiences this weekend through conversations with other professionals so what is this talk about well besides San Francisco they reached out to me and they're like we want you to talk about cyber threat intelligence and I'm like OMG yes I love cyber threat intelligence so we hopped on the phone we started talking and I started going like this because we needed to come up with a topic and I realized I kind of felt like that Meme of It's Always Sunny in Philadelphia talking about all the Cyber threats so in that moment besides San Francisco and I were like that's it that's it so bam a couple of emails later and we got the title The expanding Universe of cyber threats and that's how this presentation was born so I I thought to myself I'm like what do I have to bring to this topic what do I want to share with everyone well I realized that I have a story to share about the Cyber threat intelligence wins that I've had the opportunity to observe in my career so you all get to hear about that and I also wanted to encourage people to engage their internal cyber threat intelligence team or CTI team and if you don't have one to possibly think about standing up your own cyber threat intelligence function so if you're like me you think about the problem of the expanding Universe of cyber threats and you're like man there's just so many every single week every single Patch Tuesday something new is coming out and so you think about the limitations of either people process technology and you're like all right I there's no way in the world I can address all of these cyber threats so with that I want to challenge you to look at the expanding Universe of cyber threats as an opportunity and what I hope you get out of this talk is inspiration to explore new or existing things from a different perspective and to discover something incredible so I heard from a friend that in space no one can hear you scheme except for lawyers so with that I am here in my own individual capacity I'm not speaking on behalf of my employers everything I say do any vendor I mention is solely my opinion all right hopefully that checked that box so thank you besides San Francisco to read for the really wonderful introduction but I wanted to add a little bit more context for you guys so I've been in cyber threat intelligence as an official paid career where I made money full-time for a little over five years and prior to that I wore many hats but I came from a small business realm and so with that why I'm sharing this with you is that I tend to approach things from a business perspective where I try to focus on providing business value so if you're wondering if it sounds a little mba-ish please excuse my MBA but it really is my business experience so in this cyber career what I've learned so far is that there is not a one-size-fits all for anything and there's kind of no one right way to do something so in this talk I'd love for you to have an open mind we're here to have fun we're here to explore and we'll we're here to kick off a really awesome conference so I'm gonna talk a little bit about space so in 1961 JFK had a really awesome speech if you get a chance you like great speeches check it out it was the space exploration speech at Rice University where basically he said hey everyone guess what we are gonna go to the moon in less than a decade and just pause with me for a second and imagine no one's ever ever done that before and they're saying in less than 10 years we're going to the moon and you're like yeah he's crazy uh so actually fast forward in 1969 that was approximately eight years later not only did we go to the moon but we also walked on the moon how crazy is that so when that happened I feel it absolutely changed the world and changed what was possible for everyone and similar to the moon landing where essentially when that was happening eagle or Apollo 11's lunar module had about 20 seconds left of Landing Fuel and so all the people on Earth you know in today's Earth Day happy Earth Day by the way all the people on Earth were like whoa ah and they didn't really understand the actual threat that was going on and so cyber security is a lot like that where all of us you know we operate in the background we operate in the shadows we make sure stuff is patched in time we we investigate anomalous activity like all the things and we ensure that the business keeps running and the customers and the general population are blissfully unaware that we exist so in a world where the expanding Universe of threats is an actual reality because it is we become the Cyber equivalent of the Cyber Explorer similar to the astronauts and the engineers and NASA and everyone that was involved in getting us to the Moon so we are the adventurers the innovators the out-of-box thinkers and the future so we are empowered to be curious we're empowered to learn all the things and to discover something incredible so in this talk I'm going to talk briefly about cyber threats what's going on with them and then how to prioritize them maybe a little bit about the real world and then finally the conclusion so we're gonna go on Adventure on an adventure and we're going to share I'm going to share some of my favorite threats and I hope you like them too basically we're going to start with some history go into some definitions and then some flavors of cyber threats so this is the totally official super serious history of cyber threats so imagine with me in a galaxy in a galaxy far far far away someone invented computers probably some people maybe some aliens to ensure the future of humanity through technology and this laid the groundwork for the birth of cyber threats so no talk about the history of cyber threats would be complete without a shout out to the very first computer virus so I will give you a hint it was named after the bank robbing Green Ghoul in Scooby-Doo Where Are You which was a cartoon in the 1970s all right it was the creeper so in 1970 Bob Thomas he's like you know I would love to do a security test and see if it's possible to make a self-replicating program and basically if the creeper visited you it would print out I'm the creeper catch me if you can so that was a fun little tidbit of History so when you're exploring new topics or looking at things or having conversations with people I generally recommend to kind of get on the same page and level set and the way that I do that is through understanding other people's definitions of whatever words they're using so for instance this one on the screen here I honestly picked this one a because I liked it and B because it kind of aligns with the usage in this particular talk no other special reason so before the Pearl clutching begins this is not an exhaustive list of cyber threats it's just some of them and for people that are interested in looking into like High Level Threats for your particular industry check out Verizon's dbir or data breach investigations report uh what I love to do in the evening sometimes is like you know get some water coffee or whatever drinking at the time and read the footnotes the footnotes are absolute perfection and I highly recommend so first we're going to start with information operations so believe it or not deep fakes aren't just for Tom Cruise on tick tock they can also be used to convince for instance your CEO to go on record saying stuff that they normally probably wouldn't say a group that is well known for doing this is bovan and Lexus or ta-499 by proofpoint and so basically they target politicians and celebrities and they use quote unquote deep fake pranks wink wink and their pro-russia Comedians and there's been rumors that they're Associated or Affiliated or something with the Russian government but basically they deny deny deny if you're interested in exploring more about information operations I would suggest checking out cyber War con and they just released the 2022 videos or starting to last night and in it there's some really great info Ops for State Nexus actors and when I say State Nexus it's really just a fancy word for like Affiliated related whatever to like the government next we'll talk about system intrusion and so I'm going to bring up targets 2013 breach as a result of the HVAC company but I'm not going to talk about what you think I'm going to talk about instead I'm going to focus on their glow up and say there is life after breach so fast forward about five years give or take in 2018 2019 Target security team is absolutely rocking it so they're in the FSI Sac or the financial services information sharing and Analysis Center they're in the retail ISAC and they're also contributing to the community and in the event you don't have an ISAC membership I highly recommend checking out their Sans threat hunting or CTI Summit and at the end of this talk I ended up putting a lot of these resources on a GitHub so be sure to look up my GitHub you can also go to I don't know github.com Cheerio and then you'll see B-side San Francisco 23 so all these links are there but basically what the target security company did is they went from breach to internationally respected security team in less than five years and I really don't and this is of course my opinion so I have to caveat that but um I really don't think that they get enough credit for all the work that they put in uh to overcome that breach situation so next we're going to talk about fraud and one of my favorite fraud actors was Hush Puppy and he was a Nigerian influencer so in 2022 he got sentenced to a little over 11 years in federal prison for conspiring to launder tens of millions of dollars due to online scams so if you get a chance on Google photos if you uh just type in Hush Puppy you'll see Instagram photos he absolutely loved flaunting his wealth and his love for luxury I personally saw it as a really easy collection vehicle for the FBI but what do I know but check it out it's it's very it's very um out there so next we're going to talk about supply chain and this one's a fun one I think everyone in this audience might be aware of the supply chain Chain Reaction or where one supply chain compromised enabled another supply chain compromise and I'll of course share it's the 3cx one with the soft phone application everyone thought you know crowdstrike released a Reddit notice on what was it March 29th of this year and then they're like oh my gosh 3cx smartphone application you know look at what's going on supply chain and then on uh April 20th uh just a couple days ago mandan's like hold up we found patient zero and it happens to be an application by trading Technologies SO trading Technologies breach or whatever issue with that with the back door and then we have 3cx so just a little tidbit they think it was attributed to dprk or North Korea either SP knowledge activity cluster or group but depending upon which vendor is your flavor of choice and finally I just want to bring up a really important one that gets overlooked a little bit and it's romance scams in 2021 at the FBI I said that there were over a billion dollars in losses to me that's a lot of money so we're gonna talk a little bit about celebrity vulnerabilities so on May 30th of 2022 Microsoft released cve 2022 30190 and the fun part was that there was no patch available until June 14th of 2022. so this one won the name Felina this is why it was a celebrity vulnerability because it got a special treatment and essentially it's exploiting Windows support diagnostic tool via MS Office files so fast forward approximately a week or June 7th of 2022 proof Point released research saying well well well hold up folks like ta 579 who's an actor Associated or a threat activity cluster group associated with qbot where they ended up weaponizing a mail doc to abuse the Felina vulnerability that when infecting a victim it would end up you know with a cubot infection so the important thing here is just to point out how quickly the threat actors and and people out there that want to do us harm essentially are quick to operationalize and weaponize vulnerabilities so a really great talk on Celebrity vulnerabilities is by Andrew Morris he's the founder of gray nice so in 2022 he did a talk at black hat where basically he said he has this beautiful graph of like how the celebrity vulnerabilities have been increasing like crazy if you guys like malware and if you also like cubot there's a really really great uh talk and a slide deck actually that goes through cubot's code evolution by Carlos and Markel they work for they worked for threat Ray and it was in 2022 bot conference and it's on the GitHub all right so there's a couple different types of threat actors I'm not going to go into all of them on the planet just some high level ones if you can see on the slides so first we're going to start with e-crime and they're honestly some of my favorite and there's unfortunately so many that I can't really pick a favorite instead what I'm going to do is focus on their behavioral changes and the e-crime ecosystem essentially so I personally really love initial access Brokers and access as a service so the e-crime ecosystem is really interesting it seems like it supports specialization and honestly I predict a continued growth in the initial access brokers in the near future and who knows forever probably um and for people that aren't familiar with what initial access Brokers are essentially they're groups that are involved with initial access via first stage malware payloads and they may or may not it kind of depends uh work with ransomware gangs and just as an aside for people that love e-crime as much as I do there's a conference it's actually in May it's called sleuthcon I'm wearing their little pin um you know not not sponsored unless you count the pin sponsored but it's a really awesome conference where leading professionals within the industry share all the things about e-crime so I definitely would recommend checking it out okay so another group or another type of threat actors to consider is espionage so some of my absolute favorite actors are from China and I'm going to share with you my absolutely favorite story and it was by proof point so in 2022 proofpoint released a China Espionage operation research and it was against the Australian government and the wind turbine Fleet in the South China Sea so China actually responded and they're like no no that's that's disinformation you know proof points just acting like the white gloves of the US government you know hashtag ignore uh proofpoint has absolutely quote unquote No professionalism or credibility and let me tell you the researchers that were involved with that it was probably my absolute like one of my absolute favorite moments in like the back channels and the twitters and all of that of like for me if China publicly criticized my research I would be like boom I made it like I would add it to my resume I would be bragging about it I'd be like guess what you know China thinks I'm unprofessional um so and it was uh Michael Michael Raji so he actually had his talk from cyber War con where he goes into very intricate details released the other day so I would highly recommend checking it out it's an absolute Delight um so yeah favorite story the next one are Insider threats so I had to of course drop this mention of the 2020 Tesla employee bar incident where basically they were approached to help a ransomware gang uh somehow magically gets software on the network for a huge payout so that's that's also that's a fun Story another one is dating apps and how investigative journalists are using dating apps and getting getting industry professionals like me or yourselves to go out on dates and then get recorded and you know ask questions about the company that may or may not be true uh so that's a fun one and then the other one that I do have to bring up that's also fairly recent is the admin of the thug Shaker Central Discord server that ended up sharing confidential information so what I predict in this particular Arena is basically there will be continued use of inventive ways to exploit normal human interactions so that's like dating online gaming and all those chats you know that go on and also too I'm going to add this in spycraft but spycraft that happens to leave cyber breadcrumbs and I'll leave that up to you to I'll let you connect the dots so the next one is hacktivis so one of my favorite examples of hacktivis are the Russia Ukraine conflict not that Russia Ukraine conflict is awesome because I think it's very sad but uh when that came out you had hacktivists supporting the Russians and then you had hacktivists supporting Ukraine and a really great way to stay on top of all of that is the Cyber no blog and on Twitter they have the handle cybernow 20. so definitely check that out the next one is Terrorism and it's not going to be the terrorism that you think I am actually going to speak to domestic terrorism and extremists in the United States so I feel that they're gonna Target potentially critical infrastructure to basically further their objectives and I predict that they will continue recruiting Insider threats and possibly do a little hecking but I have to caveat this that I am by no means an expert in this realm I am a bystander it's just stuff that I'm observing and all the stuff that I'm reading and the back channels and all of that um so here's the other problem too I really am not a fan of hate speech it makes me very sad so like I tend to stay out of these Realms that uh would kind of give me a little bit more insight so like I said spectator but basically I view it as kind of a growing threat and something that I I personally can't continue to hashtag ignore and finally for the lulls so these type of threat actors I think of the ones where the road sign has changed or there's a billboard electronic billboard that's changed or I don't know like a website defacement so that's what I kind of think of uh when it comes to that and finally for people that have red or purple team operations I also recomme