Secure Failure

SBD403: Secure By Design

Welcome To Week 7

Shivangi Gheewala, Learning Facilitator, [email protected]

Class Schedule: Wednesday, 6:30 PM (FS-4:03 On-campus and Online – 3 hrs)

Module 7 Topic – Secure Failure

 Secure Failure

Agenda
• Know Your Enemy

• Measuring the Cyber Threat

• Break Time

• Module 7 Activities & Assessment 2 Discussion 2

 Secure Failure

Know Your Enemy

• What do we mean by Cyber Threat Actors?

̶ They are individuals or groups that intentionally cause harm to digital systems, networks, and data.

̶ Types of threat actors— hacktivists, nation-state actors, cybercriminals, thrill seekers, and cyberterrorists— all

with varying attributes, motivations, skill levels and tactics.

3
̶ Inside Attackers as Threat Actors— since 2020, 68% increase in insider attacks.

o Employees/Staff can be a major source of cyber incidents, both intentionally and unintentionally.

o Another cause is human error— due to lack of understanding or mistakes.

 Secure Failure

Know Your Enemy

• Human Error Example:

̶ The 2017 WannaCry ransomware attack NHS with more than 70,000 computers and

medical equipment affected in 80 NHS organisations.

4
̶ The attack cost NHS about estimated £92 million.

̶ They took advantage of a known weakness in Windows systems, could have been fixed

with security patches.

̶ There was no coordinated security response plan when attack occurred, further made

harder to control the damage.

 Secure Failure

Know Your Enemy

• What is Cyber Criminology?

5
 Secure Failure

Know Your Enemy

• What is Cyber Criminology?

̶ It is the study of cybercrime and its impact on the physical world. A field that combines computer science,

internet science, and criminology to analyse and explain cybercrimes.

̶ Cyber criminology is used to: Cyber-dependent crimes: Crimes 6

directed at computers or ICTs, such as
a. Develop strategies to address cybercrime
hacking, malware, and DoS attacks.
b. Evaluate the effectiveness of existing laws and regulations

c. Identify risk factors associated with cybercrime Cyber-enabled crimes: Crimes facilitated
by ICTS, such as online fraud,
d. Analyse evidence-based strategies to reduce the occurrence of cybercrime.
cyberstalking, online banking scams.
 Secure Failure

Know Your Enemy

• What is Hackonomics?

̶ Cybercriminals assess attacks based on potential return on investment.

̶ The economics of hacking— Knowing the economics behind hacking helps businesses develop better

security strategies to mitigate cyber risks. 7

̶ Terminologies:

a. Cyber Black Economy: Cybercriminals make money through illegal online activities.

b. Dark Web Trading Sites: Black markets on the dark web offer cyber attack tools, stolen data, and other illegal

goods, e.g., cryptocurrencies for transactions.

 Secure Failure

Know Your Enemy

c. Dark Web Prices: Prices fluctuate based on supply and demand; large data leaks can lower prices due to

increased availability.

d. Hackers as Rational Game Players: Hackers look for easy targets with high rewards through game

intelligence.
8
 Secure Failure

Know Your Enemy

• What do we mean by Hacker?

̶ An individual with technical computer skills but often refers to individuals who use their skills to breach

cybersecurity defenses.

̶ Hackers try hard to remain anonymous, but experts can learn about their activities and motivations through 9

patterns in their attacks.

̶ Individuals simulate cyber attacks/hacking (red team) to understand how real hackers think. The defending,

responsible for protecting systems through hacking, team is called the blue team.

̶ Hackers come in various types— Amateur hackers, Cyber criminal gangs, Organized syndicates, Mercenary

teams, Hacktivists, Cyber terrorists, and Nation-state sponsored teams.

 Secure Failure

Know Your Enemy

1. Amateur Hackers—

• Individuals who are not professional hackers but have a strong interest in computers and hacking.

• They possess basic skills and can occasionally exploit unknown vulnerabilities.

• They often experiment and are part of online communities sharing techniques and tools. 10

• Many are referred to as “script kiddies” meaning they use existing scripts or codes rather than creating

their own.

• They serve as a talent pool for more sophisticated hacking groups.

• As hacking tools become more accessible, even those with minimal skills can cause significant damage.
 Secure Failure

Know Your Enemy

• Amateur Hackers Examples:

1. Jonathan James: a teenage hacker, arrested at 15 for breaking into the US Department

of Defense and later convicted of multiple cyber crimes.

11
2. 14-Year-Old Hacker in Poland: Used a modified remote control to cause a tram

derailment, which injured 15 people.

3. Astra: A 58-year-old mathematician who hacked into the Dassault Group and caused

$360 million damages by stealing sensitive information.

 Secure Failure

Know Your Enemy

2. Hub-Structured Cyber Criminal Gangs—

• Informal, organised groups of hackers that focus on cyber crime activities.

• Typically, well-educated.

• Groups are often temporary, frequently re-forming as new teams. 12

• Main members may number in the tens, but they work with a large number of peripheral individuals around

100,000 who provide services and trade stolen data.

• Up to 80% of cyber crime is believed to be organised, through hub-structured groups or through hierarchical

syndicates.
 Secure Failure

Know Your Enemy

• Hub-Structured Cyber Criminal Gangs Example:

̶ Albert Gonzalez started as a teenage hacker.

̶ Then created the international gang ShadowCrew after hacking into NASA at age 14.

̶ The group had about 20 main members focused on stealing credit card and identity information. 13

̶ They ran an auction site for stolen data, where reportedly stole about $4.3 million.

̶ Their activities spanned multiple countries. They shared techniques and resources with other cyber

criminal organisations.

̶ Albert was arrested during a Secret Service investigation known as Operation FireWall.
 Secure Failure

Know Your Enemy

3. Hierarchically-Organized Cyber Criminal Syndicates—

• Hierarchical groups are more stable than hub-organized groups— a) have a clear hierarchy with a

management structure and division of labour, b) invest in resources and expertise.

• They operate like legitimate businesses, controlling expenses, tracking profits, and investing in technology 14

and infrastructure.

• Like, they invest in physical assets & advanced IT equipment, to support their operations.

• Some syndicates have functions like marketing, customer support, and human resources, similar to

legitimate companies.
 Secure Failure

Know Your Enemy

• Hierarchically-Organized Cyber Criminal Syndicates Example:

̶ The Carbanak group well-known for stealing credit card information and were involved in major

cyber attacks against financial institutions globally.

̶ They uses techniques, like spear phishing and remote access Trojans, to infiltrate networks and 15

steal data.

̶ They are responsible for over 250 financial data thefts, with estimated losses up to $1 billion.

̶ In Spain in March 2018, law enforcement arrested the leader of Carbanak in an international

investigation.
 Secure Failure

Know Your Enemy

4. Mercenary Teams—

• Cyber black markets now have mercenary teams of skilled coders that offers various services.

• Like renting botnets, designing malware, trading zero-day exploits, and hacking organisations.

• These teams consist of highly skilled developers, often hired by organised cybercriminal groups to conduct 16

advanced hacking tasks.

• They join these teams to monetise their expertise in hacking and malware.
 Secure Failure

Know Your Enemy

• Mercenary Teams Example:

̶ Hidden Lynx is a China-based hacking-for-hire group known for stealing industrial secrets and

sensitive data for clients.

̶ Estimated to have 50-100 operatives, with extensive expertise in hacking and breaching secure 17

networks.

̶ They have targeted sectors like finance, education, government, and defense worldwide.

̶ Their main methods include mass attacks using a custom Trojan and targeted attacks using zero-

day exploits.
 Secure Failure

Know Your Enemy

5. Hacktivists—

• Hacktivists are cyber attackers driven by ideological or political motives.

• Common causes include anti-capitalism, anti-government, environmental activism, political protests (e.g.,

pro-Palestinian), and human rights. 18

• Common tactics include defacing websites, spreading propaganda, fake news, trolling, DDoS attacks, and

network breaches.

• They target whistleblowing to expose confidential information.

 Secure Failure

Know Your Enemy

• Hacktivists Example:

1. 2011 Sony attack compromising 77 million PlayStation accounts. –

“Operation Global Blackout” to disrupt the internet, which did not

19
materialise.

2. Supported the Arab Spring and the Occupy movement.

3. Approach used: DDoS attacks, data breaches, internet disruptions, and

website defacement.

4. Often counterculture symbols like the Guy Fawkes mask.

 Secure Failure

Know Your Enemy

6. Cyber Terrorists—

• Terrorist groups aim for political change through violence.

• These groups use technology to spread propaganda, recruit members, communicate securely, gather

information, raise funds through cybercrime, and support physical attacks. 20

• Some experts believe terrorists may attempt large-scale cyber attacks, using hacking for economic or

psychological warfare.

• These groups aspire to major cyber attacks but lack advanced skills to control critical systems and hire

someone for that.

 Secure Failure

Know Your Enemy

• Cyber Terrorists Example:

̶ United Cyber Caliphate (CyberCaliphate): ISIS’s cyber arm, known for website defacement, email

hacking, credit card theft and killing people.

̶ After disruptions in Iraq and Syria, they operate as a “virtual caliphate” to focus on online influence 21

and low-level cybercrime.

 Secure Failure

Know Your Enemy

7. Nation-State and State-Sponsored Cyber Teams—

• They are government-funded cyber teams often linked to military and intelligence.

• They operate for national goals.

• These teams perform a range of activities: passive data gathering, espionage, and offensive attacks on 22

foreign networks.

• State-sponsored attacks are used for political leverage and for economic manipulation.
 Secure Failure

Know Your Enemy

• Nation-State and State-Sponsored Cyber Teams Examples:

̶ Notable groups include Lazarus (North Korea), Sofacy (Russia), Cozy Bear and Energetic Bear

(Russia).

̶ Lazarus is linked to high-profile attacks, like the Sony hack, SWIFT banking fraud, and WannaCry 23

malware

̶ Energetic Bear focuses on espionage in the energy sector and potential sabotage of Western

energy. It uses techniques like spear-phishing, Trojan software, and malware injections, to control

systems globally.
 Secure Failure

Know Your Enemy

24

Skill level gradings for cyber hackers

 Secure Failure

Break Time
25
 Secure Failure

Know Your Enemy

• What are Spies?

̶ People who steal a company’s proprietary information, trade secrets, or intellectual property without the

company’s consent.

̶ Spies can display certain “red flags” and work without correct/real profile. 26
̶ Motivation for spying can be explained by the MICE model: Money, Ideology, Compromise, and Ego.

̶ Also, five main CRIME motivations for spying: Compromise, Revenge, Ideology, Money, and Ego. It mirrors

the MICE model, with the addition of Revenge

̶ Spies are often nervous as they know they are breaking trust and laws.

̶ They seek reassurance through tactics like escape plans and cover stories
 Secure Failure

Know Your Enemy

̶ Business Espionage:

o In Singapore, Ethnic Chinese employees in Singapore provided sensitive information to Chinese competitors, they

claimed that they were pressured by counterparts in China.

o In Vietnam, In 2011, U.S. executives training in Vietnam discovered that a laptop left behind had been compromised, with
27
documents copied by local staff.

o Israel has a reputation for aggressive business espionage, especially in the U.S., they focus on military and technology

sectors.

o Business spying is prevalent in India, often conducted by private investigators– hired by companies looking for

competitive advantages.
 Secure Failure

Know Your Enemy

̶ Electronic Means of Business Espionage:

o Use of hidden microphones, laser beams, keystroke loggers, cameras, and phone taps

o Easily concealable gadgets like modified pens and glasses

o Social Engineering Espionage involve “con games”, bypassing security protocols, trust & authority.
28
o Social engineering methods (manipulation or deception).

o Spyware installation includes freeware, spam mails, or email attachments, thumb drive (USB flash drive).

o Spies search through discarded items (trash covers).

o Spies frequently break into buildings, vehicles, and offices— breach in physical security.

o Spies take interview of an individual to obtain confidential business data.

 Secure Failure

Know Your Enemy

o Examples,

o Drone disguised as a bird for surveillance South Africa Cargo truck Robbery.

o Corrupt police officers installed recording device to leak competitive pricing in Philippines Dairy Company.

o A Hong Kong Soft Drink Company found transmitters in the conference room and laser monitoring on windows from an

adjacent building to leak competitive strategy. 29

o In U.S. office, cleaning robots, with cameras and audio, inadvertently transmitted business information to competitors.
 Secure Failure

Know Your Enemy

̶ Facing Espionage While Traveling:

o Business travellers and expatriate (settled in abroad) face high risks of espionage in foreign countries, especially in

nations with a history of business spying.

o Darkhotel Espionage— Most infections from hotel Wi-Fi espionage are reported in countries like Japan, Taiwan, China,
30
Russia, and South Korea, particularly affecting traveling business executives.

o Even, a 2014 Kaspersky Lab report highlighted the risk of hackers exploiting hotel Wi-Fi networks, cause to malware

downloads and remote access to business information.

o Taiwan (1990s): A government official returned to his hotel to find unauthorized personnel removing a recording device.
 Secure Failure

Know Your Enemy

o South Korea (Late 1990s): A legal team’s hotel conference room was infiltrated with bugs and cameras; hotel staff

shared information with a local under legal scrutiny.

o China (2008): Three R&D employees’ laptops containing sensitive information were stolen during a dinner outing. When

they returned, the confidential data was downloaded.

How can we prevent Travel Espionage? 31
 Secure Failure

Know Your Enemy

o The adverse impact of

espionage on a travel agents

can be greater than that of

violent threats, yet many 32

organisations still focus on

potential violence.
 Secure Failure

Know Your Enemy

̶ What spying include?— discovering sensitive information, starring or monitoring someone, involving in

political or social espionage activities.

̶ Can spying activity be viewed as “victimless crime”?

̶ FBI indicated these behaviours as “red flags”.

33
̶ FBI Identified Spy Traits as:

̶ Personal and Financial Motivators: Greed, and thrill-seeking behaviours.

̶ Ideological and Emotional Drivers: Loyalty to a cause or country, desire like a “James Bond” fascination.

̶ Vulnerability to Manipulation: Susceptibility to blackmail, especially if involved in risky behaviours (affairs,

gambling), or a need for approval.

̶ Family and Personal Issues: Marital conflicts or separation from family that may drive them towards espionage.
 Secure Failure

Know Your Enemy

• Insider Threats—

̶ a threat to an organisation that comes from someone within the organization who has authorized access to the

organization's systems and data.

̶ About 10% of data breaches are due to malicious insiders. 34

̶ Disgruntled employees may act out of revenge, whistle-blowing, or punishment toward their employer

̶ Common insider attacks include data theft, creating backdoor access, and sabotage.

̶ Mole— An imposter who gains access to a privileged network by posing as an employee or partner.
 Secure Failure

Know Your Enemy

• Example (Disaffected IT Engineer):

o Most malicious acts are triggered by perceived unfair treatment, such as being reprimanded or laid off.

o Typically, these actions are from IT or technical staff, often involving unauthorized access, fake accounts, or data

theft.
35
 Secure Failure

Know Your Enemy

• Insider Spies

̶ Insider spies can be high-level employees or lower-level staff, including secretaries, contractors, and security

personnel.

̶ Methods of Espionage: 36
o Planting Spies: Governments and competitors often “plant” spies within organisations.

o In-Place Recruitment: Individuals with legitimate access to sensitive information may be recruited to provide info.

o Competitive Recruitment: Some firms may offer better positions to insiders to gain sensitive information when

they switch jobs.

o Psychological Manipulation: Techniques like “honey trap” use emotional or sexual relationships to blackmail.
 Secure Failure

Know Your Enemy

• Cases of Insider Espionage

̶ In South Korea (mid-1990s): An older Korean woman posed as a job-seeker to gain access of sensitive information

like pricing and customer data for a competitor at an international firm.

̶ U.S. High-Tech Manufacturing Case (2005): A company hired an individual from China without a background check;
37
later revealed to have connections to a Chinese intelligence service.

̶ Hong Kong (2005): An IT employee leaked confidential layoff information by sharing emails with colleagues, causing

unrest and threats within the company.

̶ Harsco Corporation in US: Clyde Kirkwood, a vice president at Harsco, allegedly passed confidential information to

a competitor while secretly accepting a job there. Kirkwood is accused of influencing company decisions and trying to

steer Harsco away from competing projects.

 Secure Failure

Know Your Enemy

• Script kiddies,

• State actors,

• White-hat hackers,
38
• Black-hat hackers,

• Ethical hackers

• KVM attack,

• Zero-day vulnerability,

• Living-off-the-Land and Fileless Malware,

 Secure Failure

Measuring the Cyber Threat

• Organisations must conduct objective assessments of cyber threats— considering the

likelihood and potential severity of losses.

• Threat Matrix— evaluates threats based on:

39
̶ Intensity is the perseverance of a threat in the pursuit of its objective.

̶ Stealth is the ability of the threat to maintain a necessary level of secrecy.

̶ Time is the period that a threat group is capable of dedicating to planning, developing, and deploying

methods.
 Secure Failure

Measuring the Cyber Threat

• Resource Attribute Measurement—

̶ Technical personnel: building and deployment of the technical capability.

̶ Knowledge: level of proficiency, and the threat group’s capability.

• Attack Tree Analysis— 40

̶ Step 1 (Identify root node): Identify the main goal of the attacker.

̶ Step 2 (Identify Subordinate Nodes): Break down the root objective into specific actions or sub-goals

that the attacker might pursue to achieve the main objective.

̶ Step 3 (Review and Adapt Paths): a) Analyse the attack tree by iterating through the nodes alternative,

b) Consider alternative pathways & adapt strategies the attacker might take.
 Secure Failure

Measuring the Cyber Threat

41
 Secure Failure

Measuring the Cyber Threat

• Measurement & Management—

1. Self-Defense Responsibility:

̶ Individuals and organizations cannot rely solely on government protection; everyone needs to be

proactive in cyber defense. 42

̶ Chief Information Security Officers (CISOs) should act as the primary defense leaders for corporate

assets.
 Secure Failure

Measuring the Cyber Threat

2. Monitoring Checklist for Cyber Security:

̶ Patch Implementation Speed: Track and improve the time taken to apply software patches.

̶ Social Engineering Failures: Monitor incidents of social engineering and enhance staff training.

̶ Intrusion Detection Time: Measure the time to detect breaches to limit damage. 43
̶ Attack Frequency: Log and analyse attack patterns to prioritize defense resources.

̶ Near Misses: Record cyber near misses to assess vulnerabilities and address potential security lapses.

̶ Staff Morale and Awareness: Ensure employees understand cyber threats and are prepared to respond.
 Secure Failure

Measuring the Cyber Threat

3. Risk Management through Measurement:

̶ Measurement helps in budgeting and resource allocation by identifying high-risk areas that require

prioritization for defense efforts.

̶ Monitoring software quality and bugs can reduce system vulnerabilities. 44

̶ Data-driven tracking supports efficient risk management and helps CISOs strengthen cyber defenses.

̶ Forward-thinking companies invest in advanced security technologies proactively, utilizing methods that

go beyond traditional attack signatures to detect abnormal behaviour.

 Secure Failure

BREAK TIME
45
After Break – Learning Activities &
Assessment 2 Discussion