xorl %eax, %eax

How much is unauthorized access sold for?

leave a comment »

This is a hard question for a few different reasons. The simplest answer would be: As much as the buyer is willing to pay. And this is partially true. In some occasions buyers are paying very high prices in private to cyber-crimnals to avoid all the hassle and risks of a cyber intrusion operation, and just buy the confidential data or remote access to their target. Here I will present a quick study on the recent prices for access to victims’ networks from data I collected from various cyber-crime forums.

What you see above is an example of what I am talking about. Such posts are are occasionally appearing on underground forums such as Exploit, RaidForums, etc. My methodology was to collect the 100 most recent such offers that met the following criteria:

  • Stated the price
  • Provided privileged remote access (such as Domain admin)
  • Described the victim (name, size, etc.)
  • Described the country of the victim

So, I collected 100 such entries which go back to mid-June 2020. Then I did some research on LinkedIn and other open sources to enrich the listings and here are my final results:

  • Average price is $7,768
  • 48% of the victims had less than 500 employees
  • 81% of the victims were from the private sector
  • Most victims were from the USA (34% of all listings)
  • Financial sector was the most targeted industry (24% of all listings)

I know that people like visualizations, so here you can find some graphs I generated.

Written by xorl

August 26, 2020 at 20:33

The role of linguists in threat intelligence teams

with 2 comments

DISCLAIMER: Just to be clear, the following do not represent my employer and the examples are not from my employer. Threat intelligence is something I really enjoy doing and for this reason I get the opportunity to help many organizations.

No matter how good your malware and intelligence analysts are, in most occasions during an intelligence operation you will end up having to deeply understand a foreign language. The language of your target. Whether this is something as simple as finding the right communication media (forums, messengers, social media, etc.) for collection, or interacting with a threat actor to elicit information, the fact is that a linguist can play a key role to the success of a threat intelligence team.

Like most people in this field, I am constantly trying to learn about foreign cultures relevant to the intelligence requirements. However, that cannot replace the role of a skilled intelligence linguist who is not only an expert in the specific language(s), but they also fully understand things that are much harder to grasp such as: Local culture, customs, habits & traditions, slang, different accents, history, etc. So, although knowledge of foreign languages is a plus for simple tasks, they cannot replace the role of an experienced linguist.

I know that many people enjoy some good ol’ war stories… So, I’ll share with you three quick ones from my personal experience which show the value of having that skillset in your threat intelligence team.

Slang terms
Years ago, I had almost no knowledge of the Russian language and I was collecting intelligence on a Russian-speaking threat actor. The first challenge was identifying and getting access to all the forums the threat actor had access to. And I still recall this… It was the first time I came across one of the most common slang terms in Russian-speaking threat actors, the term “Логи” (literal translation is: logs). I still recall that it took me a few hours to figure out this simple term. For those curious, “Логи” is used to describe compromised data such as accounts with credentials, cookies, etc. typically collected from a piece of malware. So, if someone wants to buy compromised accounts for Example.com derived from a malware they might make a post titled “куплю логи Example.com” (literal translation is: buying Example.com logs). For an intelligence linguist that would have taken them less than a second because it’s such a commonly used slang term.

Local communities
Some years ago I was working on the threat landscape of a foreign company operating in a specific domain in a region of China. For this reason, I spent quite some time trying to become familiar with local threats as well as local threat intelligence experts to get their perspectives. Even though I was physically located in this region of China, it was very challenging since people didn’t trust me, a foreigner, with potentially confidential information and it took a lot of effort from my side. Eventually, one day I managed to build rapport with a local person and within hours that person gave me so much information that it was impossible to collect in months. If a linguist was available at that time, they would have already knew at least 60% of what this person told me, and be able to find the other 40% much faster and cheaper than me due to their skillset.

Historical/cultural information
I recall once an investigation where I was helping with the attribution of a cyber-criminal where we had been able to collect a decent amount of information from the threat actor and we were in the analysis phase of the intelligence cycle with the requirement being de-anonymization/attribution. One of the collected information was a screen recording of the threat actor performing their illegal activity. At some point in the video recording, there were literally two frames where an Arabic language text appears. It was blurry and unclear. However, using a linguist, they informed us that this was a specific expression used by a very specific group of people. This tiny piece of detail helped us uncover the identity of the target. However, that knowledge would be impossible to know without very deep understanding of the local culture and history.

I understand that many of my readers might not have the capacity to have dedicated linguists for all the languages their threats are originating from in their intelligence teams. So, what can you do in this case? Here are some suggestions:

  • First identify the most prominent languages relevant to your intelligence requirements
  • At a minimum encourage and support your threat intelligence personnel to learn those languages by providing trainings, budget, and learning tools
  • If deemed safe, allow your personnel to travel and stay in those foreign countries for sufficient time to understand, at least partially, the culture, habits, customs, etc.
  • There are companies and government organizations offering cultural awareness trainings for different countries. Use those as a means to get your personnel familiar with their targets’ culture and mindset
  • As the team grows, hire dedicated analysts native in the targets’ language(s) and potentially even split the teams to relevant areas of responsibilities (LATAM, APAC, MENA, etc.)

In conclusion, before adding more reverse engineers or DFIR analysts to your intelligence team, I would highly encourage you to consider having some dedicated intelligence linguist(s). That skillset can be a force multiplier for an intelligence team. And if you cannot hire such experts, at a minimum, support your people to grow their intelligence linguist skills as described above.

Written by xorl

August 20, 2020 at 11:03

Dumpster diving is still alive

leave a comment »

I would like to use a recent example to demonstrate that this threat is still valid, and companies should be considering it in their security policies. Especially, in the lockdown/remote working situation that many companies implement at the moment, this is an even bigger threat.

Dumpster diving is nothing more than going through someone’s (company or individual) trash/dumpster to discover proprietary information. Some of the most high-profile cyber-espionage cases that I am aware of had used this technique very effectively. But there is also the cyber-criminal aspect of it. For example, recently someone at Nizhny Novgorod found 10 folders with confidential information from the Vozrozhdenie Bank.

This happened literally days ago in a large organization (around 45k employees) and it shows that this threat is still relevant even for mature companies. Even more so now that many people work from home which implies that they might not have access to the facilities they had in their normal office environments. Here are some recommendations if you don’t already do that:

  • Have a clear policy for document handling/lifecycle
  • Have data classification that aligns with the policy and treats different classifications with proportional measures
  • Provide document destruction/disposal procedures
  • Provide the required equipment/facilities
  • Train, train, and train some more your employees on this threat
  • Use watermarks to identify the source of the leaks
  • Continuously monitor for leaks not only for digital goods, but also for physical ones (like documents, corporate devices, etc.)

Written by xorl

June 15, 2020 at 12:17

Posted in security

Lessons from the Twitter Saudi espionage case

leave a comment »

I was recently going through the Saudi Arabia espionage case on Twitter that went public in November 2019. I think there are lots of interesting lessons for any threat intelligence, and security in general, team in this case, which demonstrates a combination of cyber and traditional HUMINT techniques.

There are lots of information out there, but in my opinion the best source is the 27-pages long U.S. Department of Justice criminal complaint which goes through lots of details both on the counter-intelligence operation that the FBI in collaboration with Twitter did, but also all of the activities of the threat actors.

In summary, using a front charitable organization the Saudi intelligence officers organized a tour at Twitter’s office where they made their first contact with the insiders (also Saudi nationals working at Twitter) that they later recruited and used them to access over 6000 Twitter accounts’ data for intelligence collection purposes. After that they had several meetings in various locations (including during Twitter corporate events), and the intelligence officers were paying the insiders through a variety of means (wire transfers, deposits to relatives abroad, companies, etc.) for their services. The intelligence they were after was anything from dissidents, to background checks, and other intelligence collection targets (people that they were tracking).

I was trying to summarize the lessons that a threat intelligence team can take from this corporate espionage case, and here is what I came up with.

  • The insiders were SREs but they managed to obtain access to customer data via internal tools. Monitoring for such activity should be relatively easy with good role definitions and UBA rules and can quickly identify insider threats.
  • In a similar manner, the insider SREs were able to bypass the normal Twitter account takedown/complaint process and do it themselves for accounts requested by their handlers. Like the above, any access to systems outside the team owned services should be something to monitor.
  • The criminal complaint has some references where one of the insider SREs had dozens of calls with his handler during work hours to provide intelligence on specific Twitter accounts. Similarly, there are reports of one the insiders being very stressed, taking unusual days off, etc. The TLs should be trained on picking up those signs and handling them accordingly. It might be personal issues, mental health, but also signs of conducting espionage.
  • Similarly to the above, the insiders were making last minute trips with same-day return, they were getting paid tens of thousands of dollars by their handlers (which likely means that they were also spending more), they were receiving expensive gifts that they have been witnessed wearing and selling, setting up companies, etc. All of those are indicators that a TL should have picked up and reported to the threat intelligence (or security) team to look for signs of insider threat activity.
  • The DoJ document doesn’t provide a lot of details on this, but it seems that the initial meeting was set up trivially without any, even basic, background check on the visitors. At a minimum, the visitors shouldn’t be allowed in all areas, they must always be escorted, and employees should be trained on what can be shared and signs of potential espionage activity by 3rd parties.
  • The insiders were using unconventional means for communication with their handlers including Apple Note, non-corporate GMail accounts, etc. Those are things to consider when building your DLP and decryption strategy. First analyse what users typically use for communication, follow whatever processes for approval your company/governments requires, and monitor them for threat indicators.
  • Another key factor, was the amount of people involved. Just like in most HUMINT collection operations, it was a network of employees that were collaborating. Keep this in mind when conducting such investigations, it’s rarely a single person that is doing everything.
  • Lastly, another great lesson from this case was the fact that one of the insiders left to start his own company to receive the payments from the Saudi handlers, but he maintained access to Twitter’s internal systems via his ex-colleagues. Any off-duty employee account should be closely monitored because if they were to perform any malicious activity it is very likely they will do it either right before leaving, or just after they left. So, if the communication was monitored they might have been able to figure out what happened earlier.
  • When you have clues that you are dealing with a nation-state threat actor, involve the experts (AKA counter-intelligence agencies of your country). They probably have more intelligence than your team on the threat actors, and definitely more experience on how to handle such cases. For the same reason it’s important to have already established a good relationship with those agencies.
  • Lastly, when a private company is against a nation-state, the likelihood of getting any sort of legal implications is minimal. So, what you can do instead is public shaming (like in this case) to raise awareness and show the rest of the world what’s happening. Lots of those “public shaming” can actually lead your government to take a stronger stance (think if all private companies were going public with the espionage cases they had and which country was behind it). So, although it might look like there is nothing you can do, even going public is a great offensive action.

Just to be clear, I’m not bashing on Twitter security. They did an excellent job, including the entire counter-intelligence operation in collaboration with the FBI, the interviews of the insider threat actors, and also some of the things I mentioned above. Also, what I’m writing is based on the limited information that is publicly available. Apparently, it’s very likely I am missing key details. I’m just summarizing some lessons, based on my limited knowledge and experience, that any threat intelligence team can potentially use from this recent espionage case. If you think I missed any important lessons, please let me know. :)

Written by xorl

May 31, 2020 at 23:26

FIRST Cyber Threat Intelligence Webinar Series: Building an intelligence-driven organization

leave a comment »

Just like for most people that speak at conferences, this year has been quite unusual for me too. Recently, I gave my talk, Building an intelligence-driven organization, and it was a new experience for me. Talking to an industry conference remotely. So, here is how this went.

In 2019 I submitted a talk in the CFP of FIRST Cyber Threat Intelligence Symposium that was scheduled to take place in Zurich in March 2020. I received some feedback and after some back-and-forth, in February 2020 I received an email that a version of my talk with some minor adjustments was accepted. Getting accepted to talk at this event for me was one of the biggest highlights of my professional life in 2020, but as we all know… COVID-19 happened.

Again, after various back-and-forth, the awesome FIRST CTI organisers team decided to run the event online in the first weeks of May 2020 and rename it to FIRST Cyber Threat Intelligence Webinar Series. That worked out nicely, and the entire event was great. Based on this small experience I gained from this, here are some recommendations for any “remote” conference speakers:

  • Find a quiet place
  • Make sure you have good internet connectivity
  • Good audio/video hardware
  • Test your setup and content in a test conference call before the event
  • Test your setup and content a few minutes before the presentation once again
  • Keep everything you might need close by (water, notes, etc.)
  • Turn off mobile phones, pagers, chat applications, or anything else that can cause interruptions or unwanted noise (jewellery, cables/cloths touching the mic, etc)
  • It’s easier to derail when presenting in this format, be focused and plan carefully your talk
  • Depending on the talk, you might not have video which means the non-verbal communication is removed from the equation so you have to rely more on the way you present your content
  • If you do have video, make sure your appearance, the lighting and background are professional and not distracting your audience from the actual content
  • It’s much harder to assess audience’s engagement throughout the talk, so make sure that you ask for a lot of feedback afterwards

Just to be clear, I am not saying that I succeeded in all of the above. Just that I realized the importance of those throughout this process. Hopefully that will be useful to future “remote” presenters. :)

Written by xorl

May 15, 2020 at 09:44