Embed Size (px)
Citation preview
Defending Executives in Their Private Cyber SpaceChristopher GorePresidentD4C Global, LLC
Background
• Air Force Office of Special Investigations• Cyber-Counterintelligence• F-35 Joint Strike Fighter• Executive Protection • Private Investigator
F-35 Joint Strike Fighter (JSF)
J-31 Chinese Stealth Fighter
Advanced Persistent Threats
• How do they operate?• Creative and determined• Weakest link in the chain
• What do they want?• Center of Gravity• Intellectual property• “Understand the viewpoints and
motivations of influential officials”
Achilles Heel
• The personal email accounts and home networks of executive leaders and key persons are the “Achilles Heel” of U.S. cyber security programs
• Advanced cyber threats recognize personal accounts and home networks as soft targets that yield high value cyber espionage results.
Beyond Remit
Serious Concerns
• In September 2018, Senator Wyden, wrote a letter to Congressional leadership addressing “serious concerns” about foreign cyber targeting of private email accounts of US Senators and Senate staff
• This is true in many corporate policies
Counterintelligence + Security
• Even the most stringent security measures remain vulnerable to persistent threats looking to exploit their target.
• The signature purpose of CI is to confront and engage the threats; to disrupt their activities and neutralize their efforts.
Detecting the Threat
• Discreet monitoring of executive’s personal communication accounts and devices
• Balancing privacy needs with threat intelligence collection needs• Detect incoming and outgoing indicators
Hardening the Home Office Network
• At a minimum • Robust firewall and antivirus/anti-malware• All devices fully updated on software/firmware settings, security patches, etc. • Utilize application whitelisting• Reduce the attack surface by disabling Java, JavaScript and ActiveX, or by adding script-
blocking plugins• Eliminate Wi-Fi as much as possible by using an ethernet cable instead • Consider establishing two internet lines -- one for the family and one exclusively for the
executive• Use an outbound firewall to block any malware or malicious programs from being able to
connect to the internet
Case Study
• Private U.S. firm received notification from a U.S. Government contact that the contents of their emails were being leaked
• Firm contracted CI team to investigate the email breach and harden corporate networks
Case Study
• Hardening of corporate network prevented continued unauthorized access to email accounts
• Adversaries actively sought renewed access through a variety of cyber-enabled methods
• Attacks targeted both corporate and personal accounts for those closest to the principal
Case Study
• After multiple attempts to regain access remotely, a senior staffer with a privileged account had their personal phone stolen while at dinner
• Cash, credit card, and keys were not disturbed
Case Study
• The following day, staffer received multiple recovery messages from “Apple Support”
Case Study
• Investigation revealed that the message was a phishing campaign originating in Russia
The Need for Consistent Training
• Humans are the weakest link• Principles and families need
constant trainings, updates, and risk awareness
Hardening the Executive
• At a minimum • Know Yourself and Your Infrastructure -- Company
Equipment and Tools, Accepted Policies and Standards, Sensitive Information
• Who Do You Trust? -- Vendors, Procurement, Automation, Layered Approach
• The Cost of Convenience• Access Management• Physical Space• Online Privacy• Secure Data and Communications
Case Study
• Former U.S. ambassador remained target of cyber campaign after term ended
• Ambassador faced persistent targeting and cyber-harassment
Counterintelligence Neutralization - Background
Former U.S. Diplomat and Business Executive Targeted by Advance Threat Actors
• Targeting both at work and at home• Personal devices and home router compromised• Family devices also compromised• Gmail/business email account accessed; 2-factor enabled• CI investigation requested after 5 cyber security firms struggled to disrupt the threat
• All had same basic approach – forensics on computers, buy new devices, implement security controls, install security applications,change passwords, etc.
CI Approach – Outside the SOC
• Our team focused on investigation and disruption of the threat actor infrastructure• Deployment of a covert sensor at the residence – we can see them, they cannot see us• Seek to disrupt all elements of the threat actor campaign
• Attack infrastructure was vulnerable• But not how you might think!
Counterintelligence Investigative Results
Investigation into and analysis of malicious IP space identified several repeated patterns:
• Use of the same street names in different cities and states for IP ownership registration• Use of cheap, “purchase online” virtual office locations and phone numbers• Use of similar personnel names and emails addresses• Similar dates and times for IP block ownership registrations• Similarities in website code, design and errors on “business” sites• Unreasonable prices for “business” product and services• No evidence of customers and employees• Use of stolen images of people and equipment• Not returning phone calls and emails• Nominal DNS activity
Flip
Counterintelligence extends outside the SOC
Counterintelligence Investigative Results
…and resulted in discovery of over 700,000 IP addresses, owned by 10 business with estimated infrastructure annual cost of 8 million US dollars.
Fake customers, Stolen identities, Fake owners, and over $8 million invested in “Attack infrastructure”Counterintelligence question – Who would do this? And why?
Public/Private Coordination = Threat Neutralization
Counterintelligence gathers information:• Pivot an internal team to investigate threat infrastructure• Conducted physical investigation and collected information which supports ongoing
investigations
Counterintelligence conducts activities:• Coordination with LE – criminal case• Coordination with victims – civil case
Results:• Adversary’s targeting tool neutralized• Client’s security infrastructure is not over tasked• Client is more secure• U.S. public safety and security is increased
CI Perspective = Paradigm Shift
