- [Landon] Welcome to the Cyber5, where security experts and leaders answer five burning questions on one hot topic and actual intelligence enterprise. Topics include, adversarial research and attribution, digital executive protection, supply chain risks, brand reputation and protection, disinformation and cyber threat intelligence. I'm your host Landon Winkelvoss, co-founder of Nisos, managed intelligence company. In this episode, I talk with head of research development and innovation for Verizon's Threat Research Advisory Center, John Grim. We talked about the differences in motivations and methodologies between cyber crime and espionage actors. We also discuss how to prioritize a business's competitive advantage and communicate the protection strategy effectively to executive leadership. We also discuss threat modeling that can be driven by intelligence and ultimately drive from business priorities. Stay with us. John, welcome to the show. Would you mind sharing a little bit about your background with our listeners? - [John] Absolutely, Landon, happy to be here. Thanks for the opportunity to speak to your listeners today. John Grim here with the Verizon Threat Research Advisory Center. I head up the research development and innovation for the team. I've been with Verizon for 11 years. And prior to joining Verizon, I was with the United States army as a cyber counterintelligence special agent. Today's opinions and viewpoints are my own and not my employer. - [Landon] Appreciate you joining. Look forward to this conversation today. We'll be talking about the differences between organized crime and financial crime, a nation state actor. So, let's kind of dive right in. Very plainly, what is in your mind, what are the differences in motives and techniques timelines discovery between financial actors motivated by crime and more advanced nation state adversaries? - [John] Okay, that's a good question. So we did a deep dive into data breaches last fall in the form of the cyber espionage report which was an extension to the data breach investigations report that we've released for 13 years prior looking at our cases as well as contributions from other contributors there in terms of cybersecurity incidents and data breaches. And one of the things that I've seen over the years, both by government days and corporate days is the cyber espionage threat actors tend to be very sophisticated. They tend to be the more challenging cases to investigate from an incident response and investigative response standpoint. But if you're a fan of the DBIR and you look at the numbers, you can see that by far, the top type of data breach when we're looking at data breaches is those financially motivated threat actors. So in fact, over the years, we did a seven-year study, financially motivated threat actors are hitting data breaches 76% of the time versus the second highest motive which is espionage threat actors hitting data breaches 18% of the time. So, we looked at those two different types of data breaches, those different types of motivations from the standpoint of who those threat actors are and what they're doing to compromise data and assets within victim organizations environment. So at a very, very high level when we're looking at financial motivation, we're talking about PCI tax, business email compromises, fraud. And as you can imagine, for example, last year with COVID-19, there was all kinds of threat actors taking advantage of the situation that cyber defenders and organizations are in terms of folks working from home and the challenges there with securing that. So, lots of information there in terms of what we're seeing out there with COVID-19 and fraud and financially motivated threat actors. But when we look at espionage motivated threat actors, we're looking at a different dynamic here. For example, financially motivated threat actors are dominated by organized crime. As you mentioned earlier. Espionage motivated threat actors are dominated by state affiliated entities and nation state entities, folks that are working either directly for another country, or they're being supported or blessed off by another country. So, two different types of threat actors there that align with those two different types of motives. - [Landon] So, I mean, let's take this approach. We both have threat intelligence backgrounds, and kind of let's apply this to enterprise. So, let's just take a manufacturing organization, and you have certainly front-facing applications that are right for fraud and for financial abuse, at the same time, you also have valuable IP that is probably beneficial for a nation state, kind of walk through the different actions of which an organized crime group are gonna take. And what kind of different methodologies the nation state would kind of take. - [John] Absolutely, so it's interesting you pick manufacturing 'cause when it comes to espionage breaches, folks that are in the manufacturing vertical, when we look at the overall data set, 21% of the time, we're looking at manufacturing, second only to public administration, which is the government. And we looking within the manufacturing and all breaches for the seven-year timeframe that we did this study, we saw that 57% of the time, manufacturers are dealing with espionage threat actors with a balance of the percentages they're going to a financially motivated threat actors. So, when we look at what these threat actors are doing in terms of their actions, for example, we see that espionage threat actors are leveraging social engineering just like financially motivated threat actors. In fact, both of those when it comes to social attacks are leveraging the phishing as number one in terms of leveraging that specific type of attack. Second to that is pretexting and very, very distant second. So those threat actors, both espionage and financial to include the manufacturing industry are leveraging the human element. They're also leveraging hacking from the standpoint of use of stolen credentials or use of command and control or back doors in terms of getting into the environment and maneuvering their ways laterally throughout the environment to include exfiltrating data from the environment. In addition to the hacking, they're also using malware malicious software as an action type that we study here within the DBI or data set. So, the types of malware that we're seeing there for the espionage threat actors go hand in hand with hacking a lot of times. Number one on the list for malware varieties for espionage breaches is back doors over the seven-year period that we did this study, 79% of the time followed at 77% of the time command and control. And then other types of malware varieties that we're seeing are capturing stored data, downloaders, spyware, key loggers, those type of things. But one of the things with the espionage threat actors in addition to those types of malware is, and folks who probably heard this term, living off the land. I also use, like to use the term, blending into the forest as well. These threat actors tend to leverage tools or solutions that are already in the environment, legitimate tools, and just to mention one of them, PowerShell, if PowerShell is there and the threat actors are in the environment, and they see that it's there, and they've got the privileges to run PowerShell scripts, they're gonna do that. After all, why not use those tools in less than the risk of detection by using those tools in less than the risk of detection by bringing in additional tools. So, if you've got the ability to use something that's gonna get the job done, live off the land. And then at the same time, blend into the forest, blend that activity with that particular tool in with the log entries of legitimate activity with that same tool slowing down the instant response efforts, slowing down the forensics efforts in terms of understanding what's going on with potential breach. - [Landon] Let's look at this from the corporate executive suite. And then let's look at this from the chief information security officer perspective. So, let's go with the chief information security officer perspective. So, if you're the CSO and you ultimately see that you're a target of nation states, as well as criminals, and you see almost that they're using the same techniques, so let's call it your traditional living off the land. Your WMI, type attacks, your PS exec attacks, things that are native Windows commands, frankly, and network administration. How do you ultimately build the defenses? What are some of the solutions that you need to ultimately defend against? - [John] Absolutely, absolutely. And you can kind of think of this in two different parts. First, you need to understand your environment. You need to identify where your data is, your crown jewels, understand what that data is. Find the assets that that data is on, your critical assets, look at who needs access to those critical assets and that data, monitor those accounts and limit those accounts to the extent possible. And then you wanna start expanding from there and looking at your enterprise environment. Looking at all of your data stores, all of your places where you have critical assets, looking at the traffic that's moving laterally as well as coming from outside the enterprise environment and leaving to go outside the enterprise environment from inside. So, you wanna look at your network devices, make sure that they're configured properly, make sure your assets are configured properly. Make sure you have monitoring in place, but make sure you understand what you're looking for. When we look at the espionage threat actors, the number one discovery method over the seven-year period, at 42% of the time was suspicious traffic. So what does that mean? Well, first off, you have to define your data and your cyber defenders and your SOC personnel for example, need to know what to look for in that traffic. They need to have the right tools to be able to capture that traffic, the packets for the traffic or derived NetFlow, or even the actual network logs. So define the data, know what to look for, define what is normal traffic, know what to look for in terms of suspicious traffic to determine if it's a security issue, or maybe it's an operational configuration issue. And then you've have to have the right tools in terms of network detection response tools, your UEBA tools, your DLP tools in place, and the expertise to be able to understand those tools and look at that traffic and do the analysis. And you've gotta be fast. You've gotta be quick to be able to dig down into that traffic and look and see if you actually have a security incident. So that's the first piece. The other piece, you need to look outside of your environments. And what I mean by that is you need to look at the cyber threat actors. You need to do cyber threat modeling, you need to understand what these threat actors are doing at a very basic level, look at those two motives. Espionage threat actors dominated by organized crime. So, start looking into the MO of organized criminals and how they operate, what makes them tick, what they're looking for. And then you need to look at the espionage threat actors the nation state and the state affiliated and understand how they operate, where they're coming from. And so you can better sync up with the campaigns that they're having, share intelligence, absorb intelligence for all your Intel sources. Get an idea of whether you are a prime candidate for being targeted by either of those threat actors. So, the study that we did, we looked at various different industries and it's interesting, every organization can be targeted by espionage threat actors or financially motivated threat actors. But certain industries tend to be more targeted by espionage threat actors versus other industries being more targeted by financial threat actors. So public administration, manufacturing, professional mining and utilities, those are all high in terms of espionage breaches. When we look at financial breaches, it's financial and insurance, combination of food services, retail, healthcare, those organizations that tend to have certain types of information, more so than other organizations, they're targeted by financially motivated threat actors. Those threat actors that are targeting PII, PCI data, the data that can be cashed in for financial gain versus the espionage threat actors who are targeting the trade secrets of proprietary information, internal information that can be used for nation state advantage or competitive advantage. So understanding your environment, understanding what the threat actors are doing by doing threat modeling to include how those threat actors operate versus what you have in your environment to defend against their activities. So that's what my advice would be. - [Landon] And so then extrapolating that a little bit, looking at from the threat intelligence angle, how have you seen the threat intelligence evolve over the past couple of years? I think that probably four or five years ago, it was built, they gone IOCs, but you and I both know that a good actor can change up his IP and domain address in minutes. So, really the utility of IOCs is certainly limited, all but certainly necessary, but limited. I'm just kind of curious how you've seen it evolve and what you're seeing with mature security teams kind of do to go beyond those IOCs. - Yeah, that's a very good question. So I kind of see it in a couple of different perspectives 'cause I have an Intel background, but I also have an investigative background. So, to kind of put in the perspective, I've seen over the years cyber threat intelligence in the corporate world maturing much more so than, for example when I first came on the team here for Verizon 11 years ago from the army, when I came on the team 11 years ago, intelligence wasn't really mentioned as much. And then gradually it started being mentioned more and more, but it was more in line with indicators of compromise. Having those IOC is at hand to help you out with your investigation. And then I saw it mature even more so where not only was intelligence supporting the investigation from the standpoint of the IOCs, but as getting more into the TTPs, tactics, techniques and procedures, linking up with known threat actors and what they're doing and understanding their modus operandi. And then there was the dark web threat hunters who were providing insight outside the wire in terms of enterprise related intrusions and given insight into maybe credentials that are being stolen on the dark web from that same intrusion, for example. So Intel was providing direct support to the investigations. But then I started seeing over the years, most recently, where Intel was driving the investigation, or being the tip of the spear for the investigation where, for example, that same example I used just a little bit ago where credentials are found on the dark web and the cyber defenders for that particular organization hadn't detected that breach in the first place. And certainly there was something that happened, and finding those credentials on the dark web for sale led to a proactive investigation where Intel tipped off the cyber defenders and the forensics folks who brought into to do a deep dive looking at the environment to see if it's been breached. So, I've seen over the years, it moved from Intel not being very clearly defined to IOCs. And now more into TTPs, understanding attribution to the extent you can with the threat actors, but really Intel has really come to a point where it's starting to mature, almost cuts up with the government where Intel is what Intel is. It's not just a collection of data or information. It's understanding how the threat actors operate and then being able to take that threat model against your environment and come up with a stronger posture in terms of better defending, better securing, better detecting and better responding to threat actors. - [Landon] Have you seen security operations teams that are intelligence driven where intelligence is kind of the central hub, or is it more rational that threat hunting in the SOC are gonna be the central hub? And then intelligence is one of the spokes along with security operations, red teaming, vulnerability management, what have you seen be successful? - [John] So, as I've seen where it's, the standard security operations center become more of like a fusion center depending on the organization, depending on the resources that that industry may have where Intel is a bigger part of the security operations center, where it's not in the example I used before was supporting investigations, but now it's tipping off investigation. So by the same regard within the security operations center, if there is an alert that goes out, and Intel's grabbing that and pointing that out to the security operation center folks, they're ingesting that into their operations, they're better able to patch that zero day vulnerability, or address or look for that particular indicator or compromise or those TTPs and enhance their ability at cyber defense and detection. So, it definitely entails not only is it maturing from the standpoint of investigations, but it's also providing needed insight for the security operation center folks, for example. - [Landon] And just curious, have you seen types of cyber threat intelligence and the data that that goes into, have you seen where that's also useful outside of the SOC? So maybe when fraud, maybe in trust and safety, maybe in third party risk, have you seen it be applicable outside of just cyber actors in ABT 33? - [John] Well, some of the ways that I've seen it outside of just the tactical operations is we use that type of Intel to enhance our products such as our thought leadership products. We use the A4 threat model which is part of the VERIS framework, which is your actions or actors, your assets and your attributes to better understand what threat actors are doing. So we can kind of have a bigger picture from a distance in terms of trends that we're seeing based on the data driven insight that we have plus the cyber threat intelligence that we have to kind of project where we feel that threat actors are moving next. So, more of a strategic example right there than the tactical example, we definitely see Intel as part of our cases, as I mentioned, more and more indirect support of those cases where we can reach out to our intelligence folks on the team I'm on to get everything from the IOCs, or get an idea of places to look on the forensic evidence that we have that we may not have thought of. And if we're onto a particular threat actor, or their campaign, there may be some additional insight there that can play into the evidence sources that we're still looking to collect. - [Landon] A lot of Intel goes toward traditionally the confidentiality integrity and availability of data systems and networks. What are some insights and solutions to ultimately kind of protect against those key facets? Making sure that those three particular attributes are protected, where have you seen Intel really drive there. - [John] So, when we're talking of the VERIS A4 threat model, I mentioned assets and attributes. So we start from the standpoint of identifying what assets are being targeted by threat actors. For example, for espionage breaches, believe it or not, the assets that are targeted most are the user devices, your desktops, your laptops, your mobile phones. For the financially motivated threat actors, the assets are all over the place, their web application servers, for example, the user devices, I just mentioned, they're also customers, for example, we include those as assets, but then when we look at the attributes, now the attributes are directly aligned with the assets. And as you mentioned that the confidentiality, the integrity and the availability of the CIA triad. Now, for a data breach by its very definition, confidentiality is compromised 100% of the time. But when we look at integrity, it's very interesting in terms of integrity or that attribute variety, when we look at the financial breaches, for example, versus the espionage breaches. So over the seven year period that we looked at DBIR data, the number one attribute variety when it came to integrity with software installation for financial breaches, and also for espionage breaches at 59% and 82% of the time. Now, this is software installation. This is compromising the integrity of that whole software installation or the cyber supply chain aspect of patching or updates to the software. And one of the examples that we saw earlier, actually in December of this past year was with solar winds. That's a software installation integrity attribute that was impacted there for that particular situation. Second to software installation, when it comes to integrity is alter behavior. And this is getting a user, for example, to do something that they shouldn't be doing, like clicking on an email hyperlink or going to a fake website. That was the second highest attribute variety in terms of financial breaches and espionage breaches, at 36% and 77% of the time. So it's software installation, ultra behavior. And then we see it split from there for financial versus espionage breaches were fraudulent transactions, number three at 25% for financial breaches, and modify configuration is at 12% for espionage breaches. So the integrity piece, and I think the other part of your question is what can you do about the integrity, while some of the solutions you wanna make sure that you have in place or that you wanna enhance is cyber supply chain, risk management, make sure you understand where your software's coming from, and make sure you have things in place to maintain the integrity of that relationship with any of your outside vendors or suppliers. You wanna have secure configurations for your hardware, secure configurations for your software, your applications, as well as your network devices. You also wanna have vulnerability management in place where you're constantly updating any patches that are needed for any particular pieces of software applications. And then you also wanna have, and don't forget that ultra behavior aspect. You wanna have security awareness and training for your end users, as well as your employees in general to be aware of campaigns involving threat actors and phishing, for example, or fake websites, and also have them sensitized to report anything that seems suspicious with their systems, 'cause they can be in some ways the first line of defense for data breaches or potential data breaches. - [Landon] Now, that's certainly very helpful. And I guess kind of rounding out here, I'm gonna throw a curve ball just because, why not throw a curve ball here. Everything we've talked about over the last 25 minutes here is mostly foreign to anyone outside of security. CEOs, CFOs, general counsel might understand that a little bit. HR, certainly not gonna understand a lot of this. And I'm sure that you've been in an environment where he was just staying with the manufacturing sector. They're gonna say, look, we're printing money doing what we're doing. There's very little that can be done, that could ultimately affect the bottom line. As security professionals, we shake our heads at that type of thing. And we know that that's a myopic way to look at things, but for a executive team that does have that mentality, how do you change the mentality, and ultimately educate a CEO who might not be very technical to understand the threats and understand that ultimately cybersecurity is another important risk in a business. - [John] That's a good question. And it is something that, as an investigator that I found over the years, taking your technical findings, for example and conveying that to non-technical audiences. So, taking what you're seeing from the standpoint of forensics and converting that into more simple plain speak for people that aren't technical. They're sharp people, but they just don't, they're not in your realm. So that was one of the things that I've always found is a challenge is, whether you're writing a report is to conveying those technical findings into non-technical terms if you're presenting your findings to do the same. So, you've gotta embrace business speak for the higher level executives, the C-level executives, start using such as risk for example, or start using other terms that are gonna convey to them the potential for the damage that these threat actors can cause. So, you wanna start by understanding your environment, understanding the threat actors with that threat modeling, coming up with different situations that the organization may be faced with in terms of those threat actors are doing. Now, if you're in a financial organization, so can be different than manufacturing, the same approach is gonna be there. You've got to frame the story in a way that they understand using their lingo, their business speak. For example, some of the things we've done is had tabletop exercises or executive breach simulations where we have the senior folks in the room and we run through a technical example of a data breach scenario. And we walk them through what happens all along the way in terms of what the threat actors have done and what the cyber defenders are doing, the answer responders are doing so that they understand and see that unfurl. So, that's one way. Another way is, as I mentioned, use the business speak to convey what the findings are. One of the things we've also done is, for the data breach investigations report, it's chock full of all kinds of technical data. But if you read that report, it's an enjoyable read. There's a lot of humor in that report. And there's a lot of explaining what it really means in terms of all the facts and figures that are in the reports so that anybody can understand it. 'Cause over the years we've noticed, I've noticed personally as well, that not only our data breaches and cybersecurity incidents more and more complex because of the threat actors, because of the environment, but they're more and more complex from the standpoint of different stakeholders. It's not just your IT security folks that are dealing with data breaches. Now, you've got human resources, you've got corporate communications, physical security, the legal team, as well as management, and by potentially the board. So, you wanna make sure that they're part of the process, keep giving them updates on what's happening in terms of threat actors, have tabletop exercises and executive route simulations, provide publications such as the DBIR to them to read. One of the other things that we also did was, we anonymized our cases and create a data breach digest scenarios that were approached from different perspectives, different standpoints to help educate folks telling the story from the standpoint of an HR person or from corporate communications in this particular situation, so that they can kind of understand and see things from their perspective. And then finally also, including all those stakeholders, the executives as well in the incident response management or the incident response plan, make them part of the overall plan, make them part of any testing of that plan, and provide them periodic updates in terms of how you're progressing with cyber defense, as well as cybersecurity initiatives. - [Landon] John, this has been very enlightening. Your expertise is unvarnished. We appreciate your time today. - [John] Absolutely, thanks a Lot. - [Landon] For the latest subject matter expertise around manage intelligence, please visit us at www.nisos.com. There we feature all the latest content from Nisos experts on solutions ranging from supply chain risk, adversary research and attribution, digital executive protection, merger and acquisition diligence, brand protection and disinformation, as well as cyber threat intelligence. A special thank you to all Nisos teammates who engage with our clients to conduct some of the world's most challenging security problems on the digital plane and conduct high state security investigations. Without the value of the team provides day in, day out, this podcast would not be possible. Thank you for listening.