LB
  • Home
  • Reference Link Library
  • Cyber Security Fundamentals
  • Cryptography
  • Security Architecture
  • Operational Policy
  • Risk Management
  • Management & Cyber Security
  • Secure Software Design & Development
  • Network Visualization & Vulnerability Detection
  • Cyber Threat Intelligence
  • Incident Response and Computer Network Forensics
  • Gallery
  • Contact

Cyber Threat Intelligence

Photo: Omaha Beach, Normandy, France, June 2012 (D-Day + 68 years).
Introduction to Cyber Threat Intelligence:
Cyber Threat Intelligence Plan:
Centers of Gravity:
Introduction to Cyber Threat Intelligence:
Cyber threat intelligence effectively breaks down into three types of intelligence: Tactical, Strategic, and Current.  Tactical Intelligence provides security operations support to the cyber security professional.  With Tactical intelligence cyber security professionals focus on indicator collection, kill chain analysis, and hunting support.  Strategic intelligence has a business alignment.  Risk assessments and prioritization of threat mitigation get developed.  Analysts then create their assessments to support decision makers.  Current intelligence focuses on early warnings from cyber-attackers.  The current intelligence decision makers get briefed on current cyber-attack campaigns, social media concerns, geopolitical events that may affect the company, and other emerging cyber threat capabilities.
It is important while conducting cyber threat intelligence that the company does not cross into the realm of cyber-attacking.  It is ethical and necessary for companies to conduct cyber threat intelligence on persons that threaten the company.  It is not ethical to conduct cyber-attacks on the company's competition.  Cyber threat intelligence is about understanding the persons that attempt to conduct cyber-attacks on the company so that the company can better prepare their cyber defenses to the cyber-attackers.  Once the cyber threat intelligence teams start conducting offensive operations on the company's competition then they have wandered into the realm of unethical cyber security practices.
Cyber Threat Intelligence Plan:
            The company that I am creating a Cyber Threat Intelligence Plan for is an online clothing store focused entirely on women’s business attire.  Nordstrom, Inc. is considered a direct competitor because, Nordstrom, Inc. has long been a giant in the retail clothing industry focusing sales on high end women’s casual, business, and formal attire.  I will also be addressing the effects of hacktivists and State sponsored criminal hacker’s use of phishing techniques and DDoS cyber-attacks on the company’s Information Technology (IT) systems.
            The Threat Assessment for Nordstrom, Inc. is LOW due to the likelihood of Nordstrom, Inc. conducting a malicious cyber-attack against the company to be highly unlikely, and Nordstrom, Inc. refocusing its sales strategies from retail stores to online sales.
Centers of Gravity:
Blake W. Nordstrom, Co-President & Director
Erik B. Nordstrom, Co-President & Director
Peter E. Nordstrom, Co-President & Director
James F. Nordstrom, Jr., President of Stores
Anne L. Bramman, Chief Financial Officer
Terrance Boyle, Executive VP, President of Nordstromrock.com, and President of Huatelook & Trunk Club
  • The Nordstrom family files to say, as of June 7, 2017, on a combined basis, they own 51.8 million shares of Nordstrom Inc.'s common stock, representing about 31.2% stake in company. (Reuters, 2017)
  • According to Article 5, Section 5, of the Bylaws of Nordstrom, Inc., “The President or Co-Presidents shall have general supervision and control over the business and affairs of the corporation subject to the authority of the Non-Executive Chairman of the Board of Directors and the Board of Directors.” (SEC, 2017)
  • Not only does the Nordstrom family control nearly one third of Nordstrom Inc., but the family has taken effective control of the company by filling the roles of co-Presidents and installing a new CFO.
The remainder of the executive suite has remained attentively in place.  To include:
Daniel Little: Executive Vice President, Chief Information Officer (CIO)
Scott Meden: Executive Vice President, Chief Marketing Officer
Robert Sari: Executive Vice President, General Counsel, Secretary of Nordstrom, Inc.
Christine Deputy: Executive Vice President, Human Resources of the Company
Karen McKibbin: Executive Vice President and President, Nordstrom Rock of the Company.
Geevy Thomas: Executive Vice President and Chief Innovation Officer of Nordstrom, Inc.
Kenneth Worzel: Executive Vice President and President, Nordstrom.com of the Company
Michael Maher: Interim Principal Accounting Officer of the Company
(Bloomberg, 2017); (Reuters, 2017)
            Although Nordstrom stock currently sits at 48.56USD, it has gone up nearly 10USD since the Nordstrom family took control of the company.  Nordstrom, Inc. has also reached a high of 62.82USD in the last 52 weeks, also occurring after the Nordstrom family took control.
Nordstrom Inc (JWN)
  • On New York Consolidated
    • 48.56USD, 28 JULY 2017
    • Change (% chg) -0.41USD (-0.84%)
  • 52-wk High
    62.82USD
  • 52-wk Low
    39.05USD
            The viability of the threat from Nordstrom, Inc. will not come through a cyber-attack.  Rather, Nordstrom, Inc. has the ability to outspend our company through advertisements, as well as gaining exclusive contracts with new up and coming fashion designers.  Nordstrom, Inc. has the capability of conducting a hostile takeover if our company becomes too successful of a competitor.
            The Threat Assessment for State sponsored criminal hackers is HIGH due to the likelihood of State sponsored criminal hackers conducting a malicious cyber-attack against the company to be highly likely.  A malicious cyber-attack being conducted on the company, like the one conducted on Yahoo, potentially can cause damage to the company’s customers, employees, and the company as a whole by stealing personal identifiable information (PII), money, and proprietary information.
            According to Yahoo, law enforcement along with a third party cybersecurity firm concluded that the attackers were Nation-State actors.  This means that a Nation-State used its military or intelligence services to break into Yahoo. (Newman, 2016), (Roberts, 2016)
Six months after Yahoo released its statement about the cyber-attack on their company the U.S. Justice Department charged two Russian intelligence officers with directing a sweeping criminal conspiracy that stole data from 500 million Yahoo accounts in 2014. (Goel, Lichtblau, 2017)  The two Russian intelligence agents, Dmitry Aleksandrovich and Igor Anatolyevich, worked for Russia’s Federal Security Service, F.S.B., which is supposed to help foreign intelligence agencies catch cybercriminals. (Goel, Lichtblau, 2017)
            The two other men named in the indictment include a Russian hacker, Alexsey Belan, already indicted in connection with three other computer network intrusions and a Kazakh living in Canada.  Karim Baratov is the only one of the accused hackers who has been arrestd in connection with the case.  He was captured by the authorities in Canada.  Since the U.S. does not have an extradition treaty with Russia it is unlikely that the other three cybercriminals will be taken into custody. (Goel, Lichtblau, 2017)
            In the end the attackers were hackers that were hired by two Russian F.S.B. agents.  It is unknown why the F.S.B. agents wanted to attack Yahoo emails.  Perhaps the agents were also motivated by money.  A more likely explanation includes the Russian government using criminal hackers to attack Yahoo email to gain information on potential targets for future exploitation.
            The attackers spent little time in phases 1 through 6.  The attack began with the reconnaissance phase in late 2013 or early 2014.  Phase 1, the reconnaissance phase, takes time as it is the planning phase of the attack.  It is unknown how much time the attackers spent doing research on their target, but what is known is that they were effective.
            Phase 2, the weaponization phase, consists of the attackers preparing their payload for the attack.  Once again it is unknown how long the attackers spent on the preparation phase.
Phase 3 began when the adversary delivered its malicious email.  “The Hack began with a spear-phishing email sent in early 2014 to a Yahoo company employee.” (Williams, 2017)  It is unknown how many Yahoo employees were targeted with the spear-phishing email, but it only takes one employee and one second of bad judgement to click on the email to infect the entire system.
            Phase 4 began right away once Aleksey Belan gained access through the malicious email used in his spear-phishing campaign.  The exploitation phase was victim triggered when the Yahoo employee opened the attachment or click on the link of the malicious email.  “Once Aleksey Belan started poking around the network, he took two prizes: Yahoo’s user database and the Account Management Tool, which is used to edit the database.” (Williams, 2017)
Phase 5 occurred almost immediately after or concurrently with phase 4 as he installed a backdoor on a Yahoo server.  The Installation phase consisted of the attackers installing a backdoor to maintain access for a long period of time.  “So he wouldn’t lose access, he installed a backdoor on a Yahoo server that would allow him access, and in December he stole a backup copy of Yahoo’s user database and transferred it to his own computer.” (Williams, 2017)
Phases 6 and 7 occurred immediately after installing a backdoor on a Yahoo server.  The Command and Control phase began when the hacker transferred Yahoo’s user database and transferred it to his own computer.  Phase 7, the Actions on Objectives phase, began immediately with the stealing of the Yahoo user database.  “The database contained names, phone numbers, password challenge questions and answers and, crucially, password recovery emails and a cryptographic value unique to each account.” (Williams, 2017)  The Actions on Objective phase continued throughout 2015 and into 2016.  “The hackers were able to use stolen cryptographic values called "nonces" to generate access cookies through a script that had been installed on a Yahoo server.  Those cookies, which were generated many times throughout 2015 and 2016, gave the hackers free access to a user email account without the need for a password.” (Williams, 2017)  The attackers not only stole personal identifiable information but also retained the ability to access Yahoo user emails for 2 years.
            The attackers had overlap between phases through much of the attack on Yahoo.  Although we know little of the Reconnaissance phase and Weaponization phase, it is likely that there was some overlap between these phases.  It is logical that as more information is discovered during the Reconnaissance phase the attackers would alter their planning during the Weaponization phase.
            The delivery phase occurred when the attackers actually sent the malicious email.  The exploitation phase started the moment that the Yahoo employee opened the malicious attachment or clicked on the link.  Once the email was opened the Exploitation phase started.  While the attackers were conducting the exploitation phase he also started the Installation phase by installing a backdoor on a Yahoo server.  Also while still conducting the exploitation phase the attackers began the Command and Control phase and the Actions on Objectives phase.  The attackers overlapped between phases through just about the entire attack on Yahoo.  This was done in order to expedite the entire process in order to gain more data in a shorter period of time.
            Yahoo could have interdicted the attackers at several phases.  In Phase 3, the delivery phase, the attackers send the malicious payload to the victim by email in a spear-phishing campaign.  Yahoo could have interdicted at this point.  Yahoo had neglected to properly train its employees on spotting potential malicious emails.  Training on safe computing for work and home environments along with information assurance training could have mitigated this risk.
            Yahoo had the opportunity to interdict through phases 4 through 7 as well.  Yahoo did know of the attack when it occurred in 2014, but did not know the extent of the damage.  “Yahoo first approached the FBI in 2014; it went with worries that 26 accounts had been targeted by hackers.  It wasn't until late August 2016 that the full scale of the breach began to become apparent and the FBI investigation significantly stepped up.” (Williams, 2017)  This shows that Yahoo did know that a malicious email had been opened by one of its employees, and that the exploitation phase had started.  It took Yahoo two full years before they learned how bad the attack was and released information of the attack to the public.  “In December 2016, Yahoo went public with details of the breach and advised hundreds of millions of users to change their passwords.” (Williams, 2017)
            The breached data includes names, email addresses, phone numbers, birthdays, hashed passwords, and a mix of encrypted and unencrypted security questions and answers.  The breach does not include unencrypted passwords, credit card numbers, or bank account information. (Newman, 2016)  The attackers were after the above data in order to sell the information to the highest bidder on the internet.  The end state for the attackers was to sell the data for money.
            The Threat Assessment for Hacktivists is HIGH due to the likelihood of Hacktivists conducting a malicious cyber-attack against the company to be highly likely.  Hacktivist organizations, such as Anonymous, have declared to the Whitehouse that DDoS cyber-attacks are a legitimate form of protest.  Hacktivists often will target a company because they do like to company’s business practices or they deem the company as too greedy.  In the case of the Dyn DDoS cyber-attack the hacktivist organization Anonymous conducted its cyber-attack to protest a political event that occurred in another country.
Picture
            The chart above depicts the threat assessment for the three most likely attackers and their most likely course of actions.  The Nordstrom, Inc. most likely course of actions would not be a malicious cyber-attack; rather they would out spend our company and possibly buy out the company through legal means.  The Hacktivists most likely course of action would be a DDoS style attack by way of social engineering phishing attacks.  This is highly likely since Hacktivist organizations, like Anonymous, have declared DDoS attacks as a legitimate form of protest.  The State sponsored criminal hackers represent the most dangerous course of action against the company.  The sheer amount of resources that a State sponsored cyber-attacker has can potentially cause unrecoverable damage to the company.
            For the company to be fit to defend against a malicious cyber-attack we must take a proactive approach to cyber threat intelligence.  This can be achieved through three steps: First, create intelligence requirements that will optimize our company’s operational security controls.  Second, conduct a gap analysis on existing security operations capabilities, talent levels, and collection capabilities.  Third, employ a “red team” to investigate the exposure the company has to adversaries on the internet.
            The key principles and best practices that will need to be implemented include building a staff with the ability to attend to the details while at the same time see the big picture.  The staff will not need to be large, perhaps a dozen personnel, but they will need to be detail oriented.  They will need to be able to identify vulnerabilities like outdated software.  They will also need to have a grinding work ethic that will allow them to actively search out and plug holes in the network.  The team will need to understand the cyber intelligence mission and have a passion for the work.  The company will also need a “red team” to investigate what our company looks like to different adversaries.  This “red team” will need to search to understand what our company’s threat exposure is on the internet.  Intelligence requirements will need to be created to be used to operationally map security controls and provides the required decision support to help the analyst do their job more effectively. (Brighttalk, 2017)
            Cyber intelligence analysts will need to triage the threats into categories so that the most dangerous threat receives attention first and the least dangerous threat gets places toward the end of the list.  The cyber intelligence analysts must know and understand the intelligence requirements that have been created to help drive there collection.  In the analysis phase, a gap analysis will need to be conducted on our existing security capabilities and the collection capabilities.
            Resources that will be required to defend against a Dyn DDoS style attack will include ensuring proper server configuration, DDoS mitigation appliances, an intrusion detection system, and black-holing as a last resort.  By ensuring that at least one member of the staff is proficient in server configuration, it will help mitigate the risk of a DDoS attack on the company.  DDoS mitigation appliances are dedicated to sanitizing traffic on the network.  This capability along with an intrusion detection system will provide some anomaly detection capabilities.  If all else fails the staff can fall back on black-holing.  This approach takes all traffic and diverts it to a black-hole, where it gets discarded.  The down side is all traffic – good and bad – gets dropped.
            The company will need to implement a mandatory employee training program that will focus on safe computing in the workplace, safe computing at home, and information assurance.  The cyber-attack on Yahoo began because a Yahoo employee opened an attachment or clicked on a link in an email from an unknown user.  Once the employee clicked, the malicious package was delivered and the exploitation phase of the attack had begun.  If the company places an emphasis on employee training on how to spot potentially malicious emails we can prevent a Yahoo style attack.  The company will also need to invest in a Next-generation firewall, application firewall, and an IDS/IPS system.  Prioritizing patches and triaging threat alerts will help mitigate further network vulnerabilities.
            To assist in mitigating risk to the company’s IT infrastructure and promote a robust approach to cyber threat intelligence the company will require a cyber threat intelligence product that takes a holistic approach to cyber threat mitigation.  The cyber threat intelligence product that I have chosen for the company comes from a well-respected defense industrial base company with roots in San Diego: SAIC.  SAIC provides an end-to-end solution that meets current and future cyber life cycle management needs.  SAIC calls this product CyberSecurity Edge. (SAIC, 2017)
            CyberSecurity Edge utilizes non-intrusive penetration tools that can find recently exploited threats and vulnerabilities, as well as cutting-edge automated scanning tools.  The SAIC staff can work on-premises, off-premises, and in hybrid environments to train our employees on the CyberSecurity Edge system.  The cybersecurity review processes, procedures, documentation, and physical and personal security are included in the assessment phase.  Their implementation process will alleviate the need to completely change our infrastructure. (SAIC, 2017)
            The Total Cost of Ownership will be dependent on the technology requirements necessary to meet our business goals.  SAIC will customize a “pick & play” solution to meet our company’s needs based on the level of risk to the company’s IT infrastructure that we are willing to take.  After implementation, SAIC will continue to manage the security plan set in place from the SAIC Secure Operating Center or they can provide certified personnel to complement our cybersecurity staff.  Through this tailored plan we will have the ability to save money by choosing only the capabilities that we need and avoid the extras that are not needed. (SAIC, 2017)
Proudly powered by Weebly
  • Home
  • Reference Link Library
  • Cyber Security Fundamentals
  • Cryptography
  • Security Architecture
  • Operational Policy
  • Risk Management
  • Management & Cyber Security
  • Secure Software Design & Development
  • Network Visualization & Vulnerability Detection
  • Cyber Threat Intelligence
  • Incident Response and Computer Network Forensics
  • Gallery
  • Contact