2024 IBM X-Force Threat Intelligence Index Webinar Flashcards
Exploiting the human attacksurface & the shifting tides of cyber threats
Introduction
There’s been a 71% increase in 2023 in the number of attacks caused by the use of valid accounts that’s telling us that attackers are logging in, not hacking in, they’re using valid accounts.
It is also evident that bad actors are in investing as well in infostealers as we’ve seen a 266% increase in the use of infostealers. An infostealer is a type of malware designed to harvest sensitive data from a compromised system. The stolen data is sent to an attacker-controlled server and often sold on the black market to other threat actors, who may use the information to commit fraud or gain unauthorized access to various resources and assets. And ransomware obviously remains a really hot topic. Ransomware operators are pivoting to extortion, versus data theft uh versus encryption.
Finally, about 70% of the attacks that X force responded to in 2023 globally were against organizations in the critical infrastructure space.
March 4, 2024
30/03/24
Panelists
Michael Rowinski, Director of Marketing & Communications,IBM Security
Ryan Lozinski, Supervisory Special Agent, FBI, CyberDivision. Ryan provides oversight and direction to investigative teams across the country. He previously served as the law enforcement liaison at the National Cyber Forensics and Training Alliance, which is a nonprofit public private partnership for cyber threat information sharing.
Kevin Albano is an associate partner with IBM X Force. He has about 18 years of experience working in the information technology, law enforcement and security consulting space and over his career, he’s been focused on investigating compu network intrusions and disrupting some of the largest cyber SPN campaigns. Kevin is responsible here at IBM for our threat intelligence collections, managing advanced threat research and directing our information analysis.
Clearly, user credentials have become that top choice for threat actors. And I know the FBI dismantled the a massive identity theft cybercrime operation late last year. Are you concerned that this tactic is getting out of control?
Ryan
I agree with you. I think, the pivot towards legitimate credentialed access to networks is a of concern to us and this is central to one of the ways that we try to address the cyber crime problem. You know, we focus not only on kind of the most overt issues, you mentioned ransomware, which we’ll talk about later. But, but really, we try to address the entire criminal ecosystem.
Just to give you a quick highlight, there were over 80 million stolen credentials available through one platform. Genesis market. And what that means is that as a threat actor, I don’t necessarily have to focus on the deployment of malware or even in infostealers to gain access to some of our networks. All I need to have is a, a profile or a presence on a platform like Genesis market. Those were sold for pennies on the dollar and that access is real and legitimate. It was a particularly harmful and dangerous marketplace. So we definitely see harvested credentials as a key enabler of cybercrime.
Kevin
When a login or legitimate account goes from legitimate to malicious, hat’s a very difficult thing to investigate. You have to have the right detections in place, evidence in place to be able to figure out when that turn actually happens.
These types of investigations tend to run like for 11 months, in order to go from the point of identifying the breach to when you’ve recovered from that. So 11 months of investigating and trying to figure out when the earliest state of compromise was, and then being able to determine what was compromised since the earlier state of compromise.
Infostealers grab information about what you’re doing online. So from your browser, from your PC, they, they’ll grab the logins and credentials from the places that we all visit. And so as our digital lives have expanded, we’re working online, finance, online, social online, etc. What you’re finding is that there’s a lot more information about us and the info stealers are grabbing that. One of the important things is once they’ve grabbed all that information from us, it’s very easy to create the login and create the identity, to make it easier for the threat actors to know more about our lives uh and get into um systems based on the information that’s being stolen.
What the FBI recommending is recommending here for organizations do to better, really safeguard themselves against this sort of new reality?
Historically, we’ve seen threat actors drive towards legitimate credential access on the networks that they target. So that’s not necessarily something that’s new, but it is part of the larger problem set. Within the criminal ecosystem, there is this carve out now for infostealers’ malware feeding the larger what we call almost like the international initial access broker in the threat actor space. There is increasing specialisation among bad actors.
From a protective standpoint, there is a growing industry, where they’re actually going out and identifying markets that sell credentials. So, credential checking or monitoring services are becoming big business that feeds into something that we put a focus on over the last several years, in terms of our cyber criminaldisruptive strategy, which is to proactively share information with impacted organizations on credentials from their organization that have been stolen.
When we talk about legitimate credential access and the challenges for detection, it really gets down to knowing your network. Years ago, I was engaged with a AAA clear defense contracting organization that um uh was responding to an alert they received on their, from their domain controller. And what was unique about that was the time and the day of the login was 3a.m. on Veterans Day. Defense contractors are ormer military members. So Veterans Day is a special day. And what they had done was they actually set up an alert to notify all of the network administrators and security personnel if there was a log in on the domain controller at any time of day, day or night. So in terms of best practices, I would say, know your network, what are your crown jewels, what are you trying to protect, know what’s normal and what’s not normal and try to baseline it.
Let’s talk about ransomware. There’s been this sort of shift where organizations have sometimes started not paying and it’s really putting some pressure on the syndicates. How do you anticipate this might change the impact or the economics of the ransomware model?
Cyber criminal actors are, are imaginative and, and they adapt and they respond to law enforcement actions or the actions of network defenders at a more granular level.
We’ve seen this gradual uptick in using mechanisms and methods to compel their targeted organizations to pay, whether we call it a ransom fee or an extortion fee. We kind of all put it in the same sort of bucket of a criminal computer intrusion that is financially motivated. And we have a number of uh historically significant ransomware actors and groups that have pivoted, not necessarily fully towards data theft extortion as a criminal business model, but that is certainly part and parcel of the way they do business. So it’s not only encryption, it’s data theft extortion and encryption. And they’re also using uh a lot of other interesting techniques to increase the pressure or amplify the pressure on the victim to pay.
Nowadays I have to be concerned about proprietary or personal identifying information that has been stolen by a criminal adversary. But then I’m also concerned as well with persistence mechanisms that may remain well after paying a ransom or an extortion fee. So, you know, it’s a triad of concerns for the victim.
One thing that’s been promising over the last several years is for victims to have done a really good job with maintaining secure offline back backups, which is a suggested best practice and has been for years. Cyber criminal actors not only conduct distributed denial of service attacks on the targeted network, but they could also be using phone call service providers to levy pressure on C suite executives. They’ve sent direct targeted emails to personal email accounts of the C Suite executives. They’ve even gone to the gone to lengths of sending flowers or chocolates to those same executives to intimidate them into coming to the table to negotiate. So they use violence as a service. Can we pay somebody in the local area of, of an executive to throw a brick through their front window? There is a sliding scale of escalation out there and, and it’s something that organizations need to be aware of.
These criminal actors have shown that even if they’re found out, even if there’s a takedown, they’ll rebrand and they’ll come back. Most ransomware attacks were conducted in Europe. You still see that same type of ransomware: encrypt, pay my ransom and I’ll decrypt. But now they are also using intimidation.
What the info stealers do is they pull up your browser history. They can see where you’ve been. They can then start to put two and two together in terms of what might be the most influential way to intimidate you or get at you to say, I think I need to pay this person money um in order to get this data back and they’re no longer encrypting it, they’re logging in and taking the data. I’m gonna release it or I’m gonna use it um to shame you. Another example is the use of affiliates, when you can get someone um as part of your crew to take action.
We’ve made it harder for the traditional ransomware um by rebuilding, instead of paying that ransom. The international Counter Ransomware initiative has 40 member nations coming together to say, we’re not gonna pay that ransom. So it is a global response to ransomware.#
About 70% of threats happened in the critical infrastructure space. They’re feeling the brunt of these ransomware attacks, because of the legacy, the debt that they have within their environment. When you look at the entry point of when breaches happen in critical infrastructure, 30% of the time, the entry point is through external public facing applications.
What can be defined as critical infrastructure? I think it is subjective and really depends on, maybe even what part of the country you’re from. I was a special agent in Las Vegas. And, you know, some could argue that the gaming industry in Las Vegas could be considered critical infrastructure because of the impact it has on the economy of that area.
What people at the cybersecurity Infrastructure Security Agency are doing right now is they’re hard at work at implementing the reporting requirements for the CERIA statute that was recently passed in Congress. Those reporting requirements are, are, are set to be implemented fully in 2025.
But what that’s really telling us is reporting is critical and information sharing is critical and partnerships are critical. Some of the recommendations in that in that guidance that II I referenced earlier from CISO and, and the FBI and others is to establish partnerships with information and information sharing and analysis centers, so you know, who to turn to for information and advice.
From the law enforcement perspective, we maintain dogged persistence on those threat actors that are impacting those networks and that may take months or years. But we, we work really, really hard to find those threat actors that are committing those attacks. We have some recent examples of, of successful prosecutions of individuals that have been in this game for literally the past decade plus. Once they’re on our radar, they don’t come off. And reporting from victims helps drive our investigations, but it also feeds into our external advisories and products that serve to better bolster the security across the industry. We track and map those vulnerabilities that are exploited more most routinely across a broad spectrum of targeted entities and provide that feedback back out to the community. And in this vulnerability, warning pilots will actually actively scan and try to identify systems that are vulnerable to attack that have yet to be patched. Good cyber hygiene, the basics are good, but our government is trying to take steps as well.
Is there some a, a recommendation that you have from a technological approach that they should take some of space where they should be investing in or the area so that they can control in-house a little bit more?
Having a incident response plan is really important. And only that, but exercising that plan to include auto band communications. Who do you call, how do you call them? Do you use the corporate email network that might have been compromised by the bad guy? Do you have uh the phone numbers of all your critical personnel? And at what point do you roll in law enforcement or representative from CISO into the game? Who’s your cyber insurance broker point of contact? Who are your on-call, incident response teams for the external response?
There’s some really interesting numbers about the average cost of a data breach. I think it was like around$4.5 million. But those companies that engage with law enforcement proactively saved about 10% of that value by engaging with law enforcement early.
A lot of what you’re talking about here is preparedness and the playbooks and testing them and having relationships with the right law enforcement officials.
Let’s talk about AI now. The X-Force team in the report is suggesting that once a generative AI platform moves has this sort of pre-mass market stage and has some clear dominance in the space, that’s when attackers really will start in investing in attacking them. Cloud technology is one example. What led the team to this assessment? And does that mean that AI is safe until then or should we be concerned?
Kevin
Generative AI is so fast moving that finding parallels in the tech industry is pretty difficult and the team did a really good job. Malicious LLMS, like language models, can craft um emails or spear phishing, emails and do simple tasks. So the use of AI is something that is gonna impact us. For example, one healthcare company with about 1600 individuals came together. The X Force team figured out a way to write five simple prompts and generated a fishing email in about 5 minutes. The typical time that it took the X Force folks to generate the same type of spear phishing email about 16 hours. The AI generated emails had a 11% click rate, right, which is better than the normal click rate, and versus the X force generated ones, which had a 14% click rate.
Engineers and developers working in AI are still trying to figure it out. At the end, the goal is what do you really want to do with AI? The end goal of, do I want to be able to execute a full attack through AI or do I want to manipulate the AI framework?
Ryan
From a fishing standpoint, speed and quality are only gonna get better over time. If we’re talking about fishing as a problem set, one of the recommendations we’ve had historically is is look for misspellings, look for punctuation or other gram grammatical errors. And that advice isn’t necessarily going to fly with something that’s generated by the GPT.
And then also the use of AI also gets into like the challenge of attribution. If you’re using a bot to generate all this stuff for you and maybe even drive coding efficiencies that mask the malware to a greater extent, than what was previously possible. That’s also a really big challenge for law enforcement as well. So it’s gonna be a whole new attack surface.
How does one get in touch with the FBI?
The FBI is organized into 56 different field offices all across the United States and we also maintain a presence in well over 80 embassies worldwide, where we have what we call legal attaches. So outside the United States, we have cyber experts at almost two dozen locations around the globe right now where we have specifically trained cyber-assisted legal attaches.
Getting back to engaging with the FBI, we have a lot of outreach at our local field offices in the United States. We have outreach coordinators, and we also have cyber investigative quads at each one of those field offices, which conduct their own outreach and they partner very closely with our other federal law enforcement agencies like the Secret Service, and we also partner with the cybersecurity Infrastructure Security Agency.
Any advice for people sort of starting their AI journey from a security perspective that you would give?
Kevin
IBM has done a lot of work in this area. Uh And has we’ve been working with with the US government as well to kind of develop the AI governance.
Stress-test your environment. Make sure that you understand the ways to get into your environment, because threat actors are making sure that they’re resilient in your environment.
