The Expanding Universe of Cyber Threats

um and without further Ado I'd like to introduce the keynote so uh for this morning's keynote we have Dr Xena Olsen Dr Xena Olsen is a cyber security professional focused on Cyber threat intelligence at a Fortune 100 company she enjoys discussing all things cyber threat intelligence and can be found in various threat intelligence sharing groups such as curated Intel she's a Sans women's Academy a graduate with eight giac certifications and an MBA in it management and a doctorate in cyber security with a focus in Enterprise purple teaming and without further Ado uh Dr Olson speaking about the expanding Universe of cyber threats thank you [Applause] all right just give me a couple moments to get set up here

woohoo it worked I get speaker notes how exciting this is going to be a kind of rough looking at a cell phone okay so I want to do a really quick thank you to B-side San Francisco to your staff the volunteers the sponsors everyone involved this is a big event to put on so let's give them a little round of applause okay and due to timing I'm going to leave this open hopefully it stays on so that I can make sure I get this wrapped up on time all right so thank you everyone do you remember the first time you discovered something new or saw something from a different perspective well I do I was a very very small girl

and I was having a hard time learning the difference between my left hand and my right hand for some reason I just couldn't tell them apart so one day a teacher came up to me and they're like hey if you look at your hand it is shaped like the letter L and right then and there my life was forever changed I never looked at my left hand the same way again and just like that those feelings of awe and Discovery and just learning something new I hope you get to reconnect with that and have those type of experiences this weekend through conversations with other professionals so what is this talk about well besides San Francisco they reached out to me and

they're like we want you to talk about cyber threat intelligence and I'm like OMG yes I love cyber threat intelligence so we hopped on the phone we started talking and I started going like this because we needed to come up with a topic and I realized I kind of felt like that Meme of It's Always Sunny in Philadelphia talking about all the Cyber threats so in that moment besides San Francisco and I were like that's it that's it so bam a couple of emails later and we got the title The expanding Universe of cyber threats and that's how this presentation was born so I I thought to myself I'm like what do I have to bring to this topic what do

I want to share with everyone well I realized that I have a story to share about the Cyber threat intelligence wins that I've had the opportunity to observe in my career so you all get to hear about that and I also wanted to encourage people to engage their internal cyber threat intelligence team or CTI team and if you don't have one to possibly think about standing up your own cyber threat intelligence function so if you're like me you think about the problem of the expanding Universe of cyber threats and you're like man there's just so many every single week every single Patch Tuesday something new is coming out and so you think about the limitations

of either people process technology and you're like all right I there's no way in the world I can address all of these cyber threats so with that I want to challenge you to look at the expanding Universe of cyber threats as an opportunity and what I hope you get out of this talk is inspiration to explore new or existing things from a different perspective and to discover something incredible so I heard from a friend that in space no one can hear you scheme except for lawyers so with that I am here in my own individual capacity I'm not speaking on behalf of my employers everything I say do any vendor I mention is solely my

opinion all right hopefully that checked that box so thank you besides San Francisco to read for the really wonderful introduction but I wanted to add a little bit more context for you guys so I've been in cyber threat intelligence as an official paid career where I made money full-time for a little over five years and prior to that I wore many hats but I came from a small business realm and so with that why I'm sharing this with you is that I tend to approach things from a business perspective where I try to focus on providing business value so if you're wondering if it sounds a little mba-ish please excuse my MBA but it really is my business

experience so in this cyber career what I've learned so far is that there is not a one-size-fits all for anything and there's kind of no one right way to do something so in this talk I'd love for you to have an open mind we're here to have fun we're here to explore and we'll we're here to kick off a really awesome conference so I'm gonna talk a little bit about space so in 1961 JFK had a really awesome speech if you get a chance you like great speeches check it out it was the space exploration speech at Rice University where basically he said hey everyone guess what we are gonna go to the moon in less than a decade and just

pause with me for a second and imagine no one's ever ever done that before and they're saying in less than 10 years we're going to the moon and you're like yeah he's crazy uh so actually fast forward in 1969 that was approximately eight years later not only did we go to the moon but we also walked on the moon how crazy is that so when that happened I feel it absolutely changed the world and changed what was possible for everyone and similar to the moon landing where essentially when that was happening eagle or Apollo 11's lunar module had about 20 seconds left of Landing Fuel and so all the people on Earth you know in today's Earth Day happy Earth Day by

the way all the people on Earth were like whoa ah and they didn't really understand the actual threat that was going on and so cyber security is a lot like that where all of us you know we operate in the background we operate in the shadows we make sure stuff is patched in time we we investigate anomalous activity like all the things and we ensure that the business keeps running and the customers and the general population are blissfully unaware that we exist so in a world where the expanding Universe of threats is an actual reality because it is we become the Cyber equivalent of the Cyber Explorer similar to the astronauts and the engineers and NASA and everyone that

was involved in getting us to the Moon so we are the adventurers the innovators the out-of-box thinkers and the future so we are empowered to be curious we're empowered to learn all the things and to discover something incredible so in this talk I'm going to talk briefly about cyber threats what's going on with them and then how to prioritize them maybe a little bit about the real world and then finally the conclusion so we're gonna go on Adventure on an adventure and we're going to share I'm going to share some of my favorite threats and I hope you like them too basically we're going to start with some history go into some definitions and then some flavors of

cyber threats so this is the totally official super serious history of cyber threats so imagine with me in a galaxy in a galaxy far far far away someone invented computers probably some people maybe some aliens to ensure the future of humanity through technology and this laid the groundwork for the birth of cyber threats so no talk about the history of cyber threats would be complete without a shout out to the very first computer virus so I will give you a hint it was named after the bank robbing Green Ghoul in Scooby-Doo Where Are You which was a cartoon in the 1970s all right it was the creeper so in 1970 Bob Thomas he's like you know I would

love to do a security test and see if it's possible to make a self-replicating program and basically if the creeper visited you it would print out I'm the creeper catch me if you can so that was a fun little tidbit of History so when you're exploring new topics or looking at things or having conversations with people I generally recommend to kind of get on the same page and level set and the way that I do that is through understanding other people's definitions of whatever words they're using so for instance this one on the screen here I honestly picked this one a because I liked it and B because it kind of aligns with the usage

in this particular talk no other special reason so before the Pearl clutching begins this is not an exhaustive list of cyber threats it's just some of them and for people that are interested in looking into like High Level Threats for your particular industry check out Verizon's dbir or data breach investigations report uh what I love to do in the evening sometimes is like you know get some water coffee or whatever drinking at the time and read the footnotes the footnotes are absolute perfection and I highly recommend so first we're going to start with information operations so believe it or not deep fakes aren't just for Tom Cruise on tick tock they can also be used to

convince for instance your CEO to go on record saying stuff that they normally probably wouldn't say a group that is well known for doing this is bovan and Lexus or ta-499 by proofpoint and so basically they target politicians and celebrities and they use quote unquote deep fake pranks wink wink and their pro-russia Comedians and there's been rumors that they're Associated or Affiliated or something with the Russian government but basically they deny deny deny if you're interested in exploring more about information operations I would suggest checking out cyber War con and they just released the 2022 videos or starting to last night and in it there's some really great info Ops for State Nexus actors and when I say State

Nexus it's really just a fancy word for like Affiliated related whatever to like the government next we'll talk about system intrusion and so I'm going to bring up targets 2013 breach as a result of the HVAC company but I'm not going to talk about what you think I'm going to talk about instead I'm going to focus on their glow up and say there is life after breach so fast forward about five years give or take in 2018 2019 Target security team is absolutely rocking it so they're in the FSI Sac or the financial services information sharing and Analysis Center they're in the retail ISAC and they're also contributing to the community and in the event you don't have an ISAC membership

I highly recommend checking out their Sans threat hunting or CTI Summit and at the end of this talk I ended up putting a lot of these resources on a GitHub so be sure to look up my GitHub you can also go to I don't know github.com Cheerio and then you'll see B-side San Francisco 23 so all these links are there but basically what the target security company did is they went from breach to internationally respected security team in less than five years and I really don't and this is of course my opinion so I have to caveat that but um I really don't think that they get enough credit for all the work that they

put in uh to overcome that breach situation so next we're going to talk about fraud and one of my favorite fraud actors was Hush Puppy and he was a Nigerian influencer so in 2022 he got sentenced to a little over 11 years in federal prison for conspiring to launder tens of millions of dollars due to online scams so if you get a chance on Google photos if you uh just type in Hush Puppy you'll see Instagram photos he absolutely loved flaunting his wealth and his love for luxury I personally saw it as a really easy collection vehicle for the FBI but what do I know but check it out it's it's very it's very um out there

so next we're going to talk about supply chain and this one's a fun one I think everyone in this audience might be aware of the supply chain Chain Reaction or where one supply chain compromised enabled another supply chain compromise and I'll of course share it's the 3cx one with the soft phone application everyone thought you know crowdstrike released a Reddit notice on what was it March 29th of this year and then they're like oh my gosh 3cx smartphone application you know look at what's going on supply chain and then on uh April 20th uh just a couple days ago mandan's like hold up we found patient zero and it happens to be an application by trading Technologies SO trading

Technologies breach or whatever issue with that with the back door and then we have 3cx so just a little tidbit they think it was attributed to dprk or North Korea either SP knowledge activity cluster or group but depending upon which vendor is your flavor of choice and finally I just want to bring up a really important one that gets overlooked a little bit and it's romance scams in 2021 at the FBI I said that there were over a billion dollars in losses to me that's a lot of money so we're gonna talk a little bit about celebrity vulnerabilities so on May 30th of 2022 Microsoft released cve 2022 30190 and the fun part was that there

was no patch available until June 14th of 2022. so this one won the name Felina this is why it was a celebrity vulnerability because it got a special treatment and essentially it's exploiting Windows support diagnostic tool via MS Office files so fast forward approximately a week or June 7th of 2022 proof Point released research saying well well well hold up folks like ta 579 who's an actor Associated or a threat activity cluster group associated with qbot where they ended up weaponizing a mail doc to abuse the Felina vulnerability that when infecting a victim it would end up you know with a cubot infection so the important thing here is just to point out how quickly the threat actors and

and people out there that want to do us harm essentially are quick to operationalize and weaponize vulnerabilities so a really great talk on Celebrity vulnerabilities is by Andrew Morris he's the founder of gray nice so in 2022 he did a talk at black hat where basically he said he has this beautiful graph of like how the celebrity vulnerabilities have been increasing like crazy if you guys like malware and if you also like cubot there's a really really great uh talk and a slide deck actually that goes through cubot's code evolution by Carlos and Markel they work for they worked for threat Ray and it was in 2022 bot conference and it's on the GitHub all right so there's a couple different

types of threat actors I'm not going to go into all of them on the planet just some high level ones if you can see on the slides so first we're going to start with e-crime and they're honestly some of my favorite and there's unfortunately so many that I can't really pick a favorite instead what I'm going to do is focus on their behavioral changes and the e-crime ecosystem essentially so I personally really love initial access Brokers and access as a service so the e-crime ecosystem is really interesting it seems like it supports specialization and honestly I predict a continued growth in the initial access brokers in the near future and who knows forever probably um and for people that aren't familiar

with what initial access Brokers are essentially they're groups that are involved with initial access via first stage malware payloads and they may or may not it kind of depends uh work with ransomware gangs and just as an aside for people that love e-crime as much as I do there's a conference it's actually in May it's called sleuthcon I'm wearing their little pin um you know not not sponsored unless you count the pin sponsored but it's a really awesome conference where leading professionals within the industry share all the things about e-crime so I definitely would recommend checking it out okay so another group or another type of threat actors to consider is espionage so some of my absolute favorite actors

are from China and I'm going to share with you my absolutely favorite story and it was by proof point so in 2022 proofpoint released a China Espionage operation research and it was against the Australian government and the wind turbine Fleet in the South China Sea so China actually responded and they're like no no that's that's disinformation you know proof points just acting like the white gloves of the US government you know hashtag ignore uh proofpoint has absolutely quote unquote No professionalism or credibility and let me tell you the researchers that were involved with that it was probably my absolute like one of my absolute favorite moments in like the back channels and the twitters and all of

that of like for me if China publicly criticized my research I would be like boom I made it like I would add it to my resume I would be bragging about it I'd be like guess what you know China thinks I'm unprofessional um so and it was uh Michael Michael Raji so he actually had his talk from cyber War con where he goes into very intricate details released the other day so I would highly recommend checking it out it's an absolute Delight um so yeah favorite story the next one are Insider threats so I had to of course drop this mention of the 2020 Tesla employee bar incident where basically they were approached to help a ransomware gang uh somehow

magically gets software on the network for a huge payout so that's that's also that's a fun Story another one is dating apps and how investigative journalists are using dating apps and getting getting industry professionals like me or yourselves to go out on dates and then get recorded and you know ask questions about the company that may or may not be true uh so that's a fun one and then the other one that I do have to bring up that's also fairly recent is the admin of the thug Shaker Central Discord server that ended up sharing confidential information so what I predict in this particular Arena is basically there will be continued use of inventive ways to exploit normal

human interactions so that's like dating online gaming and all those chats you know that go on and also too I'm going to add this in spycraft but spycraft that happens to leave cyber breadcrumbs and I'll leave that up to you to I'll let you connect the dots so the next one is hacktivis so one of my favorite examples of hacktivis are the Russia Ukraine conflict not that Russia Ukraine conflict is awesome because I think it's very sad but uh when that came out you had hacktivists supporting the Russians and then you had hacktivists supporting Ukraine and a really great way to stay on top of all of that is the Cyber no blog and on

Twitter they have the handle cybernow 20. so definitely check that out the next one is Terrorism and it's not going to be the terrorism that you think I am actually going to speak to domestic terrorism and extremists in the United States so I feel that they're gonna Target potentially critical infrastructure to basically further their objectives and I predict that they will continue recruiting Insider threats and possibly do a little hecking but I have to caveat this that I am by no means an expert in this realm I am a bystander it's just stuff that I'm observing and all the stuff that I'm reading and the back channels and all of that um so here's the other problem too I

really am not a fan of hate speech it makes me very sad so like I tend to stay out of these Realms that uh would kind of give me a little bit more insight so like I said spectator but basically I view it as kind of a growing threat and something that I I personally can't continue to hashtag ignore and finally for the lulls so these type of threat actors I think of the ones where the road sign has changed or there's a billboard electronic billboard that's changed or I don't know like a website defacement so that's what I kind of think of uh when it comes to that and finally for people that have red or

purple team operations I also recommend kind of viewing them and tracking their particular ttps as a threat actor so why are cyber threats and basically there's a lot of different reasons they're there to disrupt think of ransomware they're there to destroy think of all the wipers that came out during the during the Ukraine Russia conflict they're there for the lulls ideologies like all of the hacktivists and and terrorism and all that other stuff and for profit and then finally Espionage and Industrial Espionage so yeah so how many how many new Cyber threats would you think come out every year um you know there's there's what Patch Tuesday a lot of crazy stuff going on well I'm gonna tell you that there are a

lot and mandian ended up putting out a report I think it is a couple days ago and it's their Mandy and M Trends report where in 2022 they're like uh well we've been tracking 588 new malware families like mind blown that's that's a lot I can't even like fathom that the other one is 913 threat activity groups that mandya knew new thread activity groups that mandya was tracking in 2022 and then finally for the whole year of 2022 they were tracking over 35 100 threat groups and that's a lot that's more than I can personally keep up with so yeah so when you see all of these different threats whether it's cves or Insider threats or all of these threat actor

aliases and names like apt-29 Microsoft changed their naming conventions but they were nobellium and now they're midnight Blizzard or crowd strikes Cozy Bear and all the different malware names like cubot is quack bot is this and soccer goalers just fake updates like ah all these names but at the end of the day they're all just cyber threats and I kind of feel like the Ancient Aliens Guy where I'm like cyber threats so how did we get here how did we get here and I'm going to share that I feel that evil I.E cyber threats aren't inevitable but instead the expanding Universe of cyber threats are actually compliments of human creativity Innovation and the power of perception

so if you've been around the block a couple times like I have uh I think you start to realize that there's like a positive and negative to everything give or take and that not everything is as it seems so I'll give you some examples number one splitting the Uranian app uranium atom on the one hand we have a nuclear power plant and on the other hand we have an atomic bomb another example is freedom versus sovereignty so we have the United States and then we have the Russia Ukraine conflict and then we also have the China Taiwan tensions that are going on which also impact the Cyber threat landscape and then finally software is another example

so Excel I love me some Excel as a CTI analyst love it but so do threat actors and they love malicious macros just as much as I love pivot tables

all right so now we're going to get into different perspectives and shared is the absolute goat like I adore her I love her I want to be her when I grow up like she's super cool so when you're thinking about being a cyber Defender like you're doing good for your employer and possibly other companies you know on and on you're like the hero right but when you think about the threat activity groups and threat actors you're actually the villain in their story because you're burning their infrastructure you're giving you know the world a heads up like hey China's up to no good in the South China Sea right like they're like oh no like that's not happening you know

they're not happy I mean if my soul if my joy in the morning essentially is getting up and like hmm what can I do today how can I make their lives absolutely miserable I am definitely their super evil villain basically so I'm gonna do a really quick story and this has to do with the December 17th of 2019 Citrix released a workaround for cve 2019 19781 and basically there was no patch available for a little over a month uh basically exploitation resulted in an unauthenticated remote code execution and I can tell you right before a long holiday weekend those are the absolute worst four words you can hear on the planet so companies had to make a decision they

had to either recall people from a holiday deal with all the political issues related to change freezes depending upon what company you're working for and you know get people to apply the work around or not so fast forward approximately 30 days and mandian ended up releasing a report regarding apt-41 and they were doing probably the largest and broadest campaign that apt-41 has ever done of like exploiting all the things so apt 41 in case you don't know there are Chinese Espionage group but basically if you had a cyber threat intelligence analyst or security professional they were able to give the company a heads up and be like yo this looks about we should probably do

something about it um and basically you become the villain in apt-41 story because you block them from from Fun and Profit so now we're gonna get into basically how to prioritize the Cyber threats as the universe is expanding so are the Cyber threats so how do we decide what to focus on cyber threat cyber threat intelligence to me is a lot like discovering threats exploration and almost a hundred percent of the time I feel it's kind of leaning into your curiosity and seeking something incredible and if you're lucky wink wink it results in really interesting findings so these are some things that I like to think about when I'm in the process of creating an RFI or responding to an RFI

for one of my stakeholders and actionable is a really big word here because it's super important one of my favorite stakeholders are of course sock all of them are but sock vulnerability management and threat hunting an example of um one of the rfis from vulnerability management is basically they're like hey CTI we have so many phones I need your help to prioritize what to patch so how we do that we look for proof of concept code uh you know targeting any cves that are related relevant to our organization we look for exploitation in the wild and uh basically that helps prioritize patching all right the other thing that we use when we get an RFI or are doing our

cyber threat intelligence work is the Cyber threat intelligence life cycle and this just gives you an idea sometimes the rfis that we get they're pretty Broad and we need this because essentially sometimes cyber threat intelligence can kind of be like Choose Your Own Adventure finally a cyber threat prioritization so I personally really love to use the internal attack data I love to look at the malware that's hitting the organization and different types of threats and I use that to start building the threat landscape with a bunch of the other stuff up here including incidents and known targeting sometimes thread actors will be like Tahiti we want to pone your company insert your company's name so of course they get slapped onto

a threat landscape and then of course third party compromise foreign telligent sharing is also vitally important in cyber threat intelligence if you get a chance I highly recommend joining the isacs or information sharing analysis centers that's where professionals from particularly your industry but there's a lot of different industry eye sacs they get together and they share Intel and they share what's up with the threat actors and iocs and all the things so some of the other really great examples is solarwinds I'm sure everyone in this audience is familiar with solarwinds where mandiant gave people a yo heads up like you know Russia's up to no good and we of course have the 3cx and trading

Technologies a supply chain chain reaction that was recent uh really another great example is log4j where all of the Security Professionals a across the world essentially got together to support one another through figuring out what the H log 4J is and how to defend against potential exploitation and then finally I have to do a shout out to wannacry with malware Tech or Marcus sharing the quick kill switch with everyone so I'm going to talk a little bit about structured analytic techniques and it was started in the intelligence community and there's an actual whole book with that name essentially and so for intelligence analysis uh analysts the structured analytic techniques help with actually performing the analysis

because essentially our working memory is give or take seven plus or minus two items so a really good example of structured analytic techniques is the analysis of competing hypotheses and digital Shadows now known as relia Quest they put out a really great ACH or analysis Computing a competing hypotheses blog on wannacry the other types of uh SATs or structured analytic techniques are lists brainstorming and also challenging mindsets so that would be like Devil's advocacy red teaming and I'm gonna add something else so this might not necessarily be structured analytic techniques but I challenge you to weaponize your mind by being strategic with the talks that you pick this weekend at B-side San Francisco basically you can go to things

outside your wheelhouse and gain different perspectives so now we're going to talk about the real world but first I want to bring up an important topic and that is burnout so one of the helpful strategies that I employ in my day-to-day is really focusing on things that spark joy and are fun honestly for me every day so some of my favorite things are super cute little animals also memes memetic Warfare and you guessed it cyber threats so I love all the memes I love talking with stakeholders and getting into the nitty-gritty of like what they want and how I can help them so humor for me helps fight burnout so you can find your own thing

so Frameworks are also very important in cyber threat intelligence and a good example of one is miter attack so miter attack for people that might not be familiar with it is basically a knowledge base of adversary tactics and techniques based on real-world observations and it kind of gives you a common language for Security Professionals to chat and commingle and kind of be on the same page so tactics generally refer to the why of an attack technique and techniques refer to the how of an attack technique and then procedures give you very detailed uh rundown of of what's going on with that couple different ways to explore procedural level information I'll just shout out one is a red team blog so we

have John Hammond in the in the audience here I love like all the red team everything I learned so much from them even though I'm not a red teamer myself like I absolutely adore them so you can learn a ton from them blue tumors just saying okay so here I'm gonna run down an example of let's say you have an email a malicious email but you can't get the sample for whatever reason so kind of how the attack path works with this is you have an HTML attachment that drops a password protected zipped ISO that contains an lnk file that uses CMD to start cubot so what do you do you don't have the sample off to virus total and if you

have vti you're super lucky and you can grab the sample otherwise off to off to the twitters so basically you obtain the compressed parent ISO and you extract it this is just you know me extracting it and then you run strings on the contents the really super special Uber strings right then you compare the old sample that you have that was in the environment to the new one that was available in the wild and then you can see your detections and see if you need to build more robust detections more resilient detections based on whatever changes they made so this is one way that you can improve the security posture at your organization through cyber threat intelligence

so now we're going to close out this talk so I talked about a lot of different cyber threats and basically threat actors are going to use what works and guess what they're gonna continue using what works and then we make that not work and then they find something else that'll work and then it's a never-ending cycle of getting good at what works currently and I know that this sounds really super basic but I feel it's an opportunity for us to get really good at whatever is working in the current moment to you know use the band hammer for any type of thread actors to get into your network or do things that you don't want them to do

essentially so looking back at past five-ish years of my cyber threat of my cyber threat career and the observations that I made of CTI wins I smile I smile because of the hard-working professionals that discovered many incredible some things and followed their curiosity to help protect their organization and other organizations and while I may never get dragged or get super shade from China publicly um I'd like to think that at least I make the cyber world a little bit of a safer place so I hope this talk inspired you to either engage your internal cyber threat intelligence team maybe on board a function and to discover your something incredible this weekend at B-side San Francisco

so thank you for spending time with me today and I'll leave you with this question how are you going to expand your understanding of the Cyber threat Universe this weekend thank you very much and end scene I'll take questions I have a a minute and 30 seconds for questions if anyone has any if not I'll be out in the hallway as well I thank everyone for your time and I hope you have a great conference