Workshop | Break the Kill Chain – An Intelligence-Led Model to Cyber Defence

Welcome. Good afternoon. I am hearable, so you understand me well, that's good. So welcome
To yes
To this afternoon's workshop. Workshop, how to break the kill chain, what a intelligence lab model to cyber defense can be. At first I would like to do some housekeeping. So we'll do an introduction. This whole workshop consists of three sessions, so we've decided to build blocks, modules to give you the opportunity to take a break in between visiting restroom, get a coffee, get a snack, but also maybe to jump in or out according to your interest of that particular topic. So that's of at first introduction. So my name is Deford. I'm representing SEMA as the head of presales and I have the owner and the pleasure being accompanied by two colleagues of Deloitte.
Yep. Good evening is my name. I'm partner within the cyber practice within Deloitte and I'm responsible for the, for the response and resilience team. So what I bring today to the table is experience from cyber incidents and what we learned there and what went wrong and some war stories, things like this. Max. Yeah,
Hi. Good afternoon. Also from my end, I'm Max in Arabs team Deloittes cyber.
Exactly, exactly. I was juggling with shoes in the you get,
Sorry. So now we're vocal on teams as well. Okay, perfect. So thank you. Okay, let's start with with the first session. So as Max has said, some of you joined this four noon session as well. Our objective for this session is we would like to go a bit more into detail when we talk about threats, when we talk about the kill chain, which we will, I would like to take you to take you on walk on the dark side, a bit of context. Si firma, which I'm representing is a intelligence company. We have the objective to make organizations understand their towards threat actors. And this is of of based upon many kind of sources of different kind of information, which we are able then to elaborate on and to provide insights in. And that's the reason why I would like to take you on this particular walk on the dark side.
So first question of all kill Shane. To whom is it familiar to not. Okay, just a brief introduction. The kill chain is kind of a theoretical principle. How an attack is conducted and executed towards an organization towards IT infrastructure. I'm raising this because today's attack methods consists of multiple steps of multiple iterative steps. There are certain aspects working together hand in hand. And this kill chain is kind of a yeah, principle. Alongside we can identify certain activities, we can measure activities and this allows us also to position the level of criticality and to address this level of criticality. So with that particular approach, I'd like to give you that particular insights under the reference of two questions.
As somebody who's working on a cyber defense objective, it is the question how to break the kill chain. So how to take yourself, your organization, your IT infrastructure out of this particular situation, out of this particular threat situation. But it is interesting to witness that also threat actors, and by the way, I do not like to use the term hacker because there are positive and negative aspects to hacking. So a threat actor is also asking themselves, is it possible to optimize and rationalize the cyber kill chain? And the second question is the one I would like to address with within my session. Question number one is something which is part of session number two and three. Then as well, having that set, I would like to introduce you to new approach or well, fairly new approach. It's not that new, but it is generating a lot of noise and a lot of interest within the threat landscape.
The initial access broker, I said before, an attack is executed on many levels with many approaches with many different techniques. One of these aspects is, as you all might know, social engineering. Social engineering is the very first step to enter an IT infrastructure to enter an organization before the actual vulnerability is exploited or any other kind of objective is met or any kind of other method is executed. The very first hurdle for a threat actor is to somehow gain access to an infrastructure. For those of you who might remember like 20, 25 years ago with the very first approaches to scan networks, to scan devices on the internet, doing the open Porwal scans and things like, so that was something which is today lost time because the city walls, the security measures, the security parameters around an organization towards this internet. They're quite profound. The weakness comes from the inside and that's the reason why social engineering is so important and is such important aspect and asset for the kill chain. So what we're looking at the initial access broker IAB are the lock picks. They are specifically looking for these kinds of access assets, which allows threat actors accessing it infrastructures, and I'm not talking about leak credentials by the way, this is another as aspect. We are talking about a situation where these individuals or groups are the door openers for following next level threat actors executing the actual campaign. What is the role in the likes of the kill chain? We're looking at the stage number one reconnaissance, which allows the identification of loopholes.
The role is then furthermore to sell the access assets as set to the next stage threat actors, which then actually gain benefit out of this information. So I'm not reading through all the slides because the slides will be shared anyways afterwards, but why is it important to understand why is this role of an I so important? So they are the door opener. They are operating at a lower left level of risk, which means those kind of incidents you would read in the news, you would hear on the media. These are the ones executed by this next level threat actors. It is not the activity by the initial access brokers and that is where the particular risk comes from because these are the ones observing it infrastructures collecting data, buying data, generating data, which allows these next level for actors to have access. It's a business, I think that's not new as well. So we're talking actually about a level of a supply chain. So these are the very first contributors into this supply chain, which allows anybody else following, making their own business. It's lucrative the roi. So on a site note, you can invest in such activities. If you go into dark web forums, you can invest, it's crowdfunded because these individuals would like to make the living and with that you're able to invest using cryptocurrency. The return of invest in average is about 1200%. It is lucrative.
So why is it an important asset? So first of all, we talk about this initial access broker situation and also the collection. They're using many approaches as you can see here, we're looking at brute force, we're looking at insider threats. So this is where they actually are paying someone to provide credentials of high value phishing attacks, the common sense information. Steeler, very interesting part. I will elaborate on this a bit further. More vulnerabilities of course. So these are all the different kind of approaches and initial access broker is trying to steal, trying to generate these access assets. Let's have a look at the information. Steeler, who is aware of the Zoom situation? Zoom is one of the most popular downloaded software assets from the past two years because of the pandemic situation. Zoom, zoom installer, which allows you to join a remote session. To join a virtual meeting is one of the most downloaded out of any kind of source software packages you can imagine. What would you do if you would like to join a Zoom meeting? So either you join this meeting by clicking on the invite link or you look beforehand maybe for a software package. And that is something which is quite interesting because one threat actor group focused on that and has released 11 domains to publish malicious setup packages. So they've taken the Zoom setup
And they've contributed with a bit more. And that is the information stealing part. This is how initial access broker, for instance, gained access into infrastructures because somebody was downloading a innocent package. Yes. Well maybe, yeah. So this is, this is an interesting aspect. So this is the link for instance. Yeah, it looks innocent but it's definitely not a Zoom origin resource. Right? I would like to introduce now a colleague of mine who's joined on the teams meeting. Maybe we can switch.
Hey,
There we
Is. Thank you.
Hey Raar.
Okay, so hey, thank you. So just to light on this incident, what happened recently? We observed one of the campaign where the doctor was impersonating the largely downloaded application Zoom, right? In this incident? No, it was a replica for Doom zoom download page where very, if you click, click on the download icon, it will get, actual installer will get downloaded. But that downloader embedded with the info Steeler that info Steeler is card with. So when you install this zoom, zoom will work normally as expected. Meantime the also get installed, which is the enforce dealers, which will be taking your credentials and informations. So based on our research and based on the platform aid, so we were able to map this activity to Russian based fin, which is financially motivated group. And this group also have an association with club ware. So if you connect the dot correctly, right? These guys are impersonating the, the well known applications and later they're trying to steal the credentials and probably they're trying to sell it to the, the ware groups are other red actors who want to exploit the system.
So you guys that, So thank you raaf. Next question though is, so how does that fit into the bigger picture? And I think this illustration is quite self-explaining, but raaf if you, if you can share some, some insight words on that as well.
Yeah, yeah. So when it comes to access brokers, so, so earlier what used to happen is, right, so every from the beginning to end in the kill chain, one rec factor used to get involved, but then over a period of time, right, everybody tried to specialize in their own area. So that's when Ensure access broker came into picture. So they specialized in that first three stages where they're good at no reconnaissance, they are good at gaining access, right? So, and ransomware groups are any other threat actors who wanted to get the data out of the systems. They, they're good at that, but they don't want to waste that reconnaissance face phase and they want, they want to conduct a targeted attacks. So that's when these groups access broker come into picture and we track good amount of access broker in our platform. So these guys collect information through different sources.
So they do these activities using fishing attacks information still, which I explained in the Zoom incident. And they use the existing vulnerabilities and zero day vulnerabilities to get in, get access to the system and third party breaches. So whatever the breaches happened historically, those breaches they can use and try to exploit the system. For example, the Cisco breach, if, if I'm not wrong, in sometime in May, 2022, the Cisco got breached, right? So there, what happened, one of the employees personal information was based earlier that personal infor that individual's credentials was linked to the browser and that browser was unfortunately linked to the Cisco account. So they were able to use the Cisco account and got it to the individual's Cisco account. They started elevating access from there and try and compromise the Cisco system and exfil some data. So the age technique, root force, right?
They are still using to get this access to these systems once this access broker have this access. So they will, they will try to sell that to the, the other threat factor, for example, no, it might be ransomware group or some other threat actor who want no interest in the organization who, who whom they want an access. So they can use that access to get in there and they don't have to spend time in reconnaissance or no building weapon, building weapons and delivering that. They, they get the access to the organization using that. They can get into the system, exfiltrate the data, then deploy the run somewhere. Are any, any other malware they wanted to install. So what what advantage they will be getting is their dwell will get reduced drastically. They don't want, they, they don't have to spend too much time into the system trying to no elevate inside no more laterally. So they will be getting access instantly as soon as they find some, some seller in the ware forum. So this is how no, the Intel access broker ecosystem vaults
Any questions? Say again?
Yeah. Okay. So the question was also to the audience on teams then maybe to wrap it up. So initial access brokers are using different kind of techniques with a pure focus on just any kind of high level and, and, and, and high valuable credentials. As said before, we're not looking at lead credentials, nothing where an employee of an organization might have signed up for, I don't know, fitness first and, and, and with the corporate email address and maybe reusing a password also being used for the introductory account for instance. So, so this is an IM topic as a site note, but, so these are the situations where these kind of third parties are breached. So that's that part. But what these initial access brokers are looking for are these high valued credential sets, like privileged credentials, administrative credentials. So these are the ones they're looking for.
And this is quite of an interesting and very sophisticated approach because these individuals, these access brokers, they need to execute the reconnaissance not only on this very technical level, they do also some social harvesting because they would like to find out if I do have a credential set, how privileged is it? So they go to social media just to find out, okay, what's the role of that individual because that relates back maybe to the level of privileges that individual might have in the IT infrastructure. And this is all hidden. This is nothing which is happening within an organization, within an IT infrastructure and can therefore not be detected, right? So this is one aspect and of obviously they're completely contributing into it. So this is the contribution for any kind of obvious attack, which is then mentioned on the media just yesterday, K Continental released the, the, the, the announcement that they've been breached. They've, they're struggling with ransomware attack right now. This is because of initial access broker working in the very early stages many months ago on elaborating how to gain access on a privileged level to this infrastructure.
Okay, so what, what does it tell us? It tells us that the common understanding of an attack, of the execution of an attack goes hand in hand between any kind of access asset and vulnerability exploitation. If you might think from your perspective, I need to understand how vulnerable is my IT infrastructure. You might think of vulnerability management Yeah, scanning your software assets and, and, and try to correlate these against the cvs and try to find out which of my software assets are vulnerable. But this is just the sense to the meaning this is the very end of the chain. To have a threat actor being able to exploit a vulnerability requires that particular kind of access first. Okay. Any, any further questions? Feel free to jump in. Yes, please. A microphone in respect to the audience online,
In the scope of the technical discussion, most of attendees are aware what should we do, what shouldn't we not do? However, for the normal business user in any company is, as you advised earlier, he is a very, very, very weak chain. He's a part that is very weak in such chain. Yeah.
So there are, there are some aspects how to, how to counter attack such situations or even though to prevent, Okay, that's part of session three. Yeah. So I'm building the bridge now session three where we consolidate everything just to give some recommendations and best practices approaches. But what I can say is, for instance, security awareness for individuals is so crucial. It is so important because there actually, there are two endpoints in our cyber world right now, which are approachable and pos possibly vulnerable. Obviously the technology, but also the people using the technology and security awareness as the overall topic is, is so incredibly important to make every user understand in what situation they are in, when they are given hardware from the, from their company, when they're given access credentials, when they are giving authorizations to speak in the, IM terms when they're given excess credentials and also permissions.
This is something they should take care of as it would be their own eyeball. And this is not happening from my position, from the position of my company. I can tell you it's sometimes just hilarious what we find in the dark web. It is just hilarious. It is so serious that you can only laugh about it. Yeah. So security awareness and the full flex and full feature is so important for these individual, for for the users, for the regular business users to understand. But not only, and that's the important part, not only for the business users but also for the IT privileged for the administrative users as well. I mean, we're talking about a situation which is, as I've said, highly lucrative and I give you some examples of this lucrative, but this is a situation where we need to make sure that everybody understands, right?
I want to add to the question, what about bringing your own device that's more famous now
Bring your
Own vibe. It's adding the two layers. Sorry, it's like the human layers, the people and also the hardware.
Yeah, that, that is also important. I mean security is a multilayered approach and device and endpoint security plays a vital role as well. So when we think about security as a strategic approach within an organization, we're not only talking about one single approach, we're talking about a multilayered approach. We're talking about the right tools, the right people, the right procedures, or the three piece product people procedures, right? This is something where we need to talk about endpoint protection at the very end bring your own device. So these kind of devices need to be incorporated into the security execution of the organization. And that goes then along with monitoring IP package inspection, firewall, smart networking, device configuration, et cetera, et cetera. So this is multiple layers of security which need to work. One thing needs to be understood as well. That doesn't guarantee a hundred percent, right? There is never a hundred percent, The only approach you can take is to reduce that particular gap of risk. Risk. That's basically it. Okay. Any further question? Anybody else comments? What I would like, what we would like to hear is also your experience. So how do you see such situation? How have you experienced that situations? I mean standing up and saying, hey, we've been breached is kind of serious, but if you like to speak up,
I'd like to highlight for a remote branch of the company, it is, it's a sales office or commercial office. It is not related to the company at any way in forms of system or integrations or it, even couple of months ago they had run somewhere and the criticalness was that their systems are not backed up. They are billed by the manager of the branch who opens the branch one day by himself and the guy expanded, the branch got larger and his data, all his data was encrypted. The only, the only thing we had that we had a policy for the companies that he needs to send the files of the business centrally. We stored here however, this backup or we cannot call it backup, these files were more than one month ago. So normally in the normal expansion of business, sometimes you have something, it is built, but you don't know about it at all. You only get ahead at the day of the attack.
That's right. Okay. Some samples and examples. So when we talk about the situation of initial access brokerage, we're talking about a specific market segment. And interesting enough, it is a sellers and a buyers market. It is not only a sellers market, it's it's not like Apple. Yeah. Creating a demand by desire. The desire is there. So this is, so these are from public, or not public, but from well known dark net forums postings where somebody is offering RDP access, privileged RDP access to German organization. And interesting fact to this I'd like to point out is the, the revenue 19 million US dollars revenue per year. Who knows why that is of interest? Anybody?
Speaker 10 00:29:56 Just a matter of how client is or the client the share.
Exactly. Its Can you repeat it? The audience? Sorry. So does, does anybody know? Sorry, I meant, Ah, okay, sorry. So yeah, I was about to repeat. Well, I make you the microphone operator. Thank you Dick. Yeah, what I wanted to respond to your question was that the bigger the client, the bigger the share is, even if the percentage rate is constant for this kind of product. Yes.
Speaker 11 00:30:28 And it's also, and it also creates pressure during the ransomware negotiations because when they get the sound, they start saying, Oh, we don't have that kind of money. But they say, Oh, but your financial reports say otherwise
To the spot. Thank you. This we are talking asset, we're talking about a business. And if, if, now think of it, somebody has made a decision to use the talent and expertise in a specific way. So I think I do have an expertise and talent to stand here and tell you something. Others might have other talents and expertises. And it was a decision whether to become a car dealer or a drug dealer. It is was just the question of the individual. How lucrative and affordable is it? And how much risk can I take for the most outcome? So speaking in business terms, somebody has made a business plan and calculated the risk against the return of invest and this is an indication for the return of invest. What threat actors are doing is not only obviously within the reconnaissance period to try to steal and try to identify any kind of weak spots, it is also that they're creating a profile about these organizations to understand how much risk you have to put in for which type or for which size of return of invest. And obviously the yearly revenue is part of that ROI calculation.
So here's another offering. Here's somebody offering John Doe, by the way, very active, a threat actor John Doe is offering well proven access assets. So these are the ones which are working on high privilege. And when we're talking again about these kind of assets, access assets, we're talking about pure gold. We're not talking about these asset, the credentials, we're talking about these, it's like the holy grail to IT. Infrastructure. These are these assets, what we're talking about. Here's another one, access to admin level, not only the access to admin level, but also the access into the complete supply chain of that organization. Now let that sink in.
Having access to the complete supply chain of an organization does not only put yourself your own organization at risk, it puts everyone at risk, which is collaborating with you. Think about modern IT infrastructure, we are talking about tight system integration. I mean I, I, when I started my professional career 25 years ago, I remember I was then assigned for a period of time as a need to procurement. The typical procurement process 25 years ago was picking up the phone, talking to the seller saying, Hey, what's your best offer of this and that item? Yeah, agreed. Let me send you a fax to confirm this order. And that's done. That doesn't happen anymore today. Today's complete supply chain is fully automated and fully digitalized. If the warehouse identifies a low stock of an item, a routine is executed to request delivery of that item to negotiate a price from the vendor by approaching the vendor system. There you go. In Spain network, 44 devices, administrative permissions, access to the infrastructure itself, being able to replicate the network traffic to any outside target you would like, what was it? 4K VPN access. So BA lot. Another very active threat actor. Kind of funny by the way. He's actually trying to establish an ongoing business relationship with next level threat actors like your organization, like you and I would like to create a trusted relationship with vendors, with suppliers, with customers. They do this as well.
That is their business approach. That is their part of a business plan. Yeah. And that needs to be understood. Let's have a look at BA lord, the TY typology of a threat actor. So what you can see obviously is the name, but also the affiliates. So with whom is he working? Who are actually the buyers of his work, of his results of his service? Which kind of system focus, what kind of tools, recent activities. So this is interesting to understand because that builds a profile. Now this is a posting, a query, which tells us that there are in total 14 billion credentialed sets out there. Put that in relation to the world's population, count that down and reduce it by those who do not, who do not have any kind of IT access. And you will break it down to ratio one to 20 of individual records. Now divide that number by 20. This is the number of single and uniquely identified credential sets out there. Sounds awesome. Kind of, I don't want to raise any threat or fear. 60 to 65% of these credentialed sets are completely outdated. They're rubbish because they exist from breaches years ago. So if you come across a specific credentialed set to an organization, it might well be that this particular individual is even not any longer working for this organization. But also not given the aspect of that combination might work, but there is still a rest of let's say 20 to 25%, which still works. And that's enough
Bias. Now we're switching positions. So these were the screenshots, these were the postings of sellers. Now we are looking at buyers here. The top one specific target of region iot zero day, first day exploits. Yeah, what you like. Same here actually belonging to the same threat actors group, but reaching out on individual levels Here is somebody offering, sorry, here's somebody asking as an experienced team of pen testers, access to corporations, regions, budgets, budgets, how much they would like to spend budget, 150 K for very privileged access. So this is how individuals are reaching out in the dark net to those who could deliver saying, Well I have the budget, please make me an offer. It's the same like, I mean I'm working for a software company, it's the same. Like I would go to you and say, well we do have something. Or you would come to me and say, well we need something in the likes of, and here's my budget. Does it fit simple business transaction next level, The whole aspect as a service. So this evil proxy and the level of a guard in that forum, I think that tells all, because there's nothing left higher than that is
Offering services to create fishing sites. So what does it tell us? Which platform? The duration of availability on the internet and the price in US dollars per duration. That's the current rate. So this is on the dark web. Say again? So this is the, these are the services, the platforms like Google for Microsoft, right? Cloud, Dropbox. These are the phishing sites. And the next slide will tell more about this, but it gives also then the very structured plans. Yeah, subscription plans saying, well for 10 days, 20 days, 31 days, I'd like to have 250, 450 or $600 for that period of time. It is, it's standardized. I can show you how standardized. So you can see here it's a full service including an advertisement and a demo because who was it? Get a demo completely free for one day as a teaser. Now the video please, does it come? There we are. So this little snippet of a video is actually an advertisement of the services. So if proxy, you might have seen it, is demonstrating how to build the lock-in pages, the lock-in functionality of, in this case Google, it looks completely similar, it's a phish page. What happens is a user of Google, fully unaware business users are calling that particular site entering credentials. These credentials are fished and you can see within the code, then afterwards the users forwarded to the actual page. So it creates a token to the target page. There is no breach, there is no media breach in this whole process so that a business user could understand what has happened. It's completely unaware. And that is on YouTube, by the way. Yeah.
Is that good? Sorry again.
Speaker 11 00:42:17 No, I just said that, that was my next question. How YouTube is not moderating and letting that videos be on their platform.
It's, it's keep it please. It's advertisement. It is advertisement. Again, we are talking about a business with a business plan and what is part of the business plan marketing. Okay, so does it work? Ah, it doesn't switch. Yeah, now it does. So getting back to this point, as you can see there are all popular services listed and you can see also depending on the price tech, how complicated it is. That's basically it. But still it's cheap. So this is not working unfortunately. So why is it in front? I'm sorry for that. Okay.
Okay,
So that was that. Yeah, get a demo. Oh by the way, bypassing any protection. Yeah. So as you can see here, any kind of sophisticated protection can be bypassed. It's another unique selling point of that service. So we also have the role of a contributor as any profound business in real life businesses are relying on word to mouth news
Reference. Yeah. If I buy, I dunno if I would like to buy a a bike, yeah, I'll go to the dealer, I'll go to the store and say, Hey, what's what's cool about the bike? But I also reach out to my peer group and say, I'm interested in that particular bike, what can you tell me about it? What can you tell me about the venda? Same here. You will find also in the role of a contributor, many postings on the dark web saying, well this is good, this is bad. Just to make sure that you make as a buyer a profound decision. That's basically it. So getting back to the question at the beginning, Sorry, hold on the microphone please.
Speaker 13 00:45:23 I'm just thinking what percentage do you think of these posts are false? I'm wondering if the scammers are sometimes trying to scam the scammers.
All of these postings are true. Are real because, and and, and maybe we can, we can chime in my colleague again for this kind of question because he's doing the research on that and he can tell a bit more about it. Sogar, if you hear me on you to take this
Question,
Thank you. First of all, thank you for asking this question. Very valid question, right? Yeah. We see lot of no false posting on a large extent, but whatever the, the attack you see the postings you've seen. So these guys are well known in the underground, right? So right. So when, for example, the baard where you see the profiling, So he, he's the person who disclosed the vulnerability in the lock bed, right? So, and he's also having association with lock bit. I, I think these, these the tactics we follow and these are the well known and no is not the right words. Still I'm using that no in underground forum. So no, these guys are that trusts.
Yeah. So maybe I can switch back to one of those particular slides because this is an earned ranking. It's not a board ranking, it's an earned ranking. So anybody in that particular level or being claimed as a God has built for himself as a threat actor, reputation within the community, simply spoken. They're not talking bullshit. Yeah. Does that answer your question? Yeah, yeah. So here, here's the point. The, the threat actor community itself is observing itself. Yeah. Somebody who's, you know, trying to play a big role is instantly being out called Yeah. That, that, that's happening amongst threat actors. I wouldn't say that they have this kind of, let's say honor yeah, to be a threat actor, but they would like to keep their system clean because they have to rely on each other as set. You remember the slide deck with the handshake? That is basically what's happening on a virtual level. These guys are working hand in hand together, not only guys girls as well. Yeah. So it's, it's not a gender specific role,
Speaker 14 00:47:50 I
Dunno. That's basically it. So this kind of attribution within a forum is important.
Speaker 14 00:47:58 I forgot the question. Is it known how big these companies are? I think it's not the one one man show.
No, definitely not. So threat actors or threat actor groups. Every time we try to understand how big these comp companies are in quotes, it is not easy to identify. What we can see is based upon postings, based upon activities, based upon work. So for instance, if they start creating malware, start coding, it's like a fingerprint. So a developer can create code with its own fingerprint or a group as well. So this is then uniquely identifying referable to somebody. And upon this we try to somehow find out how big these groups are. And actually they are in certain cases quite large, not in this, you know, enterprise scale, but we're talking about a two digit number of individuals. Then this is typically for bigger tasks and bigger objectives as we can see with, with the Ukraine, Russian or the Russian invasion in the Ukraine, state driven threat actors, they are out of Russia, be rules. They are a bit larger. But again, we're talking about a group because there is specific expertise required like in, in our daily jobs, you can't do every job within your organization. You have a talent, you have an expertise for the individual requirements within your organization. Somebody's a good accountant. Another one is a good, I don't know, mechanic. No, same here.
Yes, please.
Speaker 11 00:49:40 Yeah. And when you mentioned that there are two dozens usually in those kind of groups, did you mean only technical people or did you mean other roles? Because for instance, after the leaks of the county, you know, messaging, it turned out that they even have HR and there is a corporate kind of structure.
Yes. Now let's, let's take KT as a good reference. So KT is facing the situation where they've been exfiltrated and what is it, 40 terabyte of data, which is a huge amount just files, right? It's a leakage out of their file services. So what threat actors need to provide is not only the technical capability of intrusion, intrusion, exploitation, exfiltration, they need to work with the results because they, they need to value the result because that defines the ransom, right? So what they need to be able to is they need to have the expertise of business operations data analysts because they are now working through a huge amount of data of files, which with which they need to find out how valuable is it what I hold in my virtual hands. Okay? So there are multiple roles to this, but by the way, this kind of task is also something which is outsourced. There is another threat actor group just working on that. Yeah. Yeah. That's interesting. So Q's really interesting. So, so the quantity representative was asking in a chat forum, dark web chat forum, the threat actors what guarantee they can give that the exfiltrated data will not be shared or used otherwise.
That was interesting because what we observe is we're not only looking at a, at a at a double or triple extortion in these cases we're looking at a quadruple extortion. Meanwhile, I mean it's, it's so apologies upfront if you are a vegetarian, but being a butcher and preparing maybe an animal, put it into pieces and make the most out of it. That's the same principle. You try to make the most out of everything, of any pin kind of asset you hold in hands. Yeah. So what happens is, of course there is the ransom, everything's encrypted and the company needs to pay the ransom to receive the decryption key just to make sure that this exfiltrated data is not published. At some point it'll be published at a whole and that defines a certain revenue. And then after a period of time you'll find segments of it because somebody started cutting these kind of data into valuable pieces by putting work into it, data analysis just to find out what is it exactly what I have, just to make sure that I make the most revenue out of it. Getting back to the return of invest. Yeah. So that's the quadruple extortion to answer the questions. Is it possible to break the cyber kill chain? Yes. S
It is important to understand that there are these threats, that there are these technical possibilities, that there is that particular business. And as we are talking about this and we've presented these screenshots of, of, of, of dark web postings, it is possible upon observation to take note of it in advance of time. And that I think is one of the key elements. We're talking in the third session as well to be predictive and prepared. Because once that particular situation has started, you are in a purely reactive mode as an organization you are in panic mode. Yeah. You are not prepared. Most cases, in certain cases you are, but organizationally, technically you're not prepared. This is what my colleagues of Deloitte will talk about as from a threat actress perspective, yes, they are pos or there are possibilities to improve, to optimize the cyber kill chain. Initial access brokers with their business approach are skipping two to three stages within the kill chain and that reduces the amount of time for actors require to recite within an IT infrastructure within an IT organization to execute to their objectives. And this reduction of time limits also the chance or decre decreases the chance of detection. That's the challenge today.
Thank you. So any questions, any comments?
Speaker 18 00:55:02 First? Sorry that I joining late, so maybe the question has been already answered in the beginning. I just wonder whether the amount of exposure of publicity of targeted of targets, so very targets as you call them, is, is there, let's say a relationship between this amount of exposure and attack likelihood?
It is part of the negotiation whether or not you are listed as a victim because it's a, it's a, it's a, it's a reputation issue now,
Speaker 18 00:55:38 But reputation would maybe, and reputation of course somehow relates to publicity. Okay.
Absolutely, yes. Because as an organization you don't want to be listed on these forums. You don't want to be noted. Okay, here is a question. So what is the most efficient capability or feature a company can implement to stop the kill chain? It depends. It depends. Yes. Thank you. Let me give you the typical German answer. It depends and yes, again, I would like to refer to session two and three to answer this question. There are multiple approaches and you need to address it from a very comprehensive perspective. It is not a siloed aspect, it is not a siloed view on a specific challenge, on one challenge. It is a holistic approach you need to take and that is important to understand. Any further questions?
We will elaborate a bit on that later.
Yes. Yeah, so thank you for the, for the hook with the, it depends. So if there are no more questions, I mean we we're anyways, the next two hours in that room, I'd like to yeah, five past in about, was it then 12, 13 minutes. Oh sorry, seven minutes. Buy or break a coffee, whatever there is. Maybe you can think about any kind of follow up questions. We're here. Thank you.
So very good. Thanks for being back and I hope you enjoyed the first session, which was around threat intelligence and what you can see on the dark site. And what we want to do in the second session is as we,
As we made our workshop part in three, we broke it up into three sessions and called it Yeah. Along the cyber kill chain. So what we wanna do is we want to go further along the cyber kill chain. So what we saw in the first session is, yeah, how can you see what's going on before you got hit, right? So the first part of the kill chain and what you can see when you have a monitoring service or you have a threat intelligence provider or you do it by yourself with threat intelligence information or open source intelligence or whatever, maybe you are aware and you realize there's something going on and I'm discussed in the darkness as a potential victim. Good. But as you know, often that is not happening. And then we are in the other part of the kill chain and that is where we want to focus on in the second session.
So as I'm within Deloitte responsible for cyber incident response, my colleagues and myself go on site then in case, yeah, you get it by, for example, ransomware attack and then what happens in those kind of crisis. And what I want to do is share with you how does this go on, What is then the reaction? So the cyber incident response, What are critical success factors, What are lessons learned and what can be done better? And that will be then the part of the third session. So first session, first part of the kill chain, second session didn't work, you got hit, what happens then? What do we learn? All of that and what can be done to get prepared. And that's then the focus on the third session to look well from the lessons learned from the incident response. Yeah. What can be done to get prepared? What are the different aspects for intelligence is one, but there are many others. Coming back to the question of the colleague, maybe it comes back then later. Good. First of all, we want to, as this is a workshop and we like to be a bit interactive. Yeah, we, we want to go again to mentee. I think you all are locked in.
Speaker 19 01:00:19 Yeah, well that's in this case another code. So
Please bear with us and and scan that one or go to that page because we want to Yeah, have some or some statistic actually to, to raise kind of say curiosity on the one hand, but on the other hand also as little ice break after the, the second or after the, the break. So if you could scan that please again there we got it. And we'll go to the to the page mani.com and just enter that eight digit code. Then we can start off with that just takes a couple of minutes, but some statistics and stuff we wanna share up front. Ah, hearts are coming in. That's always a good sign. Perfect. Okay. Just taking a look to the audience, but it looks like people are ready. So,
So let's wait. It counts up here so that you can scan it with your mobile as well. You can also go to mentee.com and put in the code, which is this code
Exactly up
Front at the top here, there's a code. You can also manually put that in.
So yeah, you can see the question. Feel free to, it's anonymous so don't worry. So what percentage of organizations have had more than one breach is the question just to call it out.
Yeah, and that's an interesting question. And you'll see already that 83% vote that what are they mean 83% have more than one breach, right?
So that's actually also the correct answer, so to say, Oh
That's really exact. Cause it's, it's a good guess.
We'll share, we'll share the statistics afterwards as well or where we got the sources from. But let's move on.
Yeah, there is an IBM study Yeah. Saying that 83% of the organization say, well I will sit more than once. Right. Which is interesting. The microphone
Is, Sorry, that's a i I yeah, I can repeat that question. So how, how long do you take a stay undertaken in the network? And the question was whether these numbers are days or weeks, right? Correct. So, sorry, good question. It's days. Okay, let's reveal it. It's actually 21 days. We'll come to that in a second because that's, I saw some enterprised faces. That's, that's true because you may be heard of way longer periods of time. I we'll elaborate on that a little bit in a in a second. Moving on.
Is it worth or without the ransom
That's in this case without the ransom,
The 21 is the ever Right, right. We will, we will come to that question exactly. Is it with or we are without ransom? That's an interesting question and we will have a deeper look on that question. Yeah,
It's, yeah, that's part without the actual ransom payment. So in that case, so to specify that it's 4.35 million US dollars and again, we'll elaborate on stuff shown here in a little bit almost there. Second to last question,
Yeah, we have had this question already in the morning session.
Okay. It's actually 53% in that case. That's based on the study of, I think it was entrance. But we'll again share the sources. And last but not least, and then you will relief you with the questions. How high are the average cost savings associated with an incident response team in regularly tested incident response plan in US dollars cost savings in that regard, It's based on an IBM study, so it's 2.66 million today according to that study. And we're going to elaborate now on a couple of these questions and turning back to you and I will unshare my screen. Thanks for participating.
Okay,
Good. So thanks for answering that and that were some quite interesting statistics, right? And let's have a bit, a deeper look onto that and I will come to that a bit later. So that were the questions and let's have a glimpse look on this. Yeah. Dwell time cold. Maybe some of you heard that. So what you see is that this yeah, was going down very fun in the last count, right from 416 to 21 and also our studies show the Deloitte studies that this Yeah, we, we had some years ago it was 192 days and, but it has gone down and the question is now why did it go down? And maybe you have a view on that. Why is it going down? Did you expect that it's going down some views? Maybe we put around the mic. This one you have also.
Yeah, I mean I guess if you were gonna get hit by somewhere, you know already, right? You you, you're down. So I think a lot of organization, I think if it's more sophisticated access, like non ransomware, I would've expected it to be longer because those are depending on your detection capabilities might be difficult to pick up. But something obvious like ransomware, you know, okay, user contacts you and you got an issue, right? And that's probably the easy one, but surprised what,
It's a surprise, right? Your, your view I
Speaker 20 01:07:38 Guess would be that attackers are more efficient and reach the target to extort or exploit the status much faster.
Yeah. So yeah.
May, may I also add a comment to this just to to to, so that you understand the number. So the dwell time is the duration, when the first infiltration has happened until detection and the average of 21 days, you need to take into consideration that the dwell time could easily be zero. Why is that? The security parameters are hitting. Yeah, so they've been detected instantly that counts into that number as well. So one of the aspects,
Speaker 21 01:08:23 And I, and I would say that we need to, we need to recognize that the industry has gotten much better. If you look at 2015 ER was nonexistent virtually and how many invested heavily on, on a proper. So in 2015 we were already always discussing how to bring in data into the soc. Now that is already a problem that we've got solved. So we are doing a better job.
Yeah, you're absolutely right. So one thing is we have done a good job, right? So the last card we focused on the topic and our vigi is getting much more better. So we identify much earlier that something is wrong in our network with so cm, whatever is implemented, that is one reason, right? But another reason is also that at that times the attackers mainly focused on stealing critical business data. Yeah. Theft. Yeah, data theft, things like this. And they didn't have any interest to get identified. Nowadays most of the attacks are ransomware attacks and they have an interest Yeah. That that you are identified and so the figure is going down because yeah, they sent you a ransom note and you have to pay. And so that is also a reason that the business model has changed and that is also one one yeah. Possibility to explain that figures when we look here a bit deeper that the average is 21, but when you divide in ransomware investigations and non ransomware, then you see the difference. Yeah. So in ransomware attacks you have an interest to Yeah, close the case quite quickly, get your ransom and then go to the next victim. Right?
It's the quick roi.
Yep. So interesting, interesting figure. Yeah. What's, what other figures do we have? Maybe let's have a look. There was one question. How high is the average cost of a data breach? Yeah. Which is 4.35 million in the IBM study from 2022. So quite recent study. And we also have here US figures and German figures and for the US it's 9.44 million US dollar and Germany average cost is 4.85 million. So a lot half. Yeah, A lot lower why ever, but that's the statistics. Good, good. What else? Any questions on the, the statistics and any surprises? Anything more we want to elaborate here on, on those things? So interesting. I, I think also how many companies do think that they are well prepared? Yeah. It's more than the half, 53%. And this morning there was another session focusing a lot on, on BCM things and there was similar question and a lot feel well prepared.
But when you see home or when you read the press and when you see what's going on Yeah, it doesn't really look like that. Yeah. So maybe they feel prepared and they aren't really, Let's, let's discuss that maybe at the end of the session. Good. So need to go to this one here. Good. Well you are all cyber security experts so I do not want to bore you with, make you more afraid what's going on And the threat landscape is changing. You hear that? Yeah. Every day. But let me share with you some views on the whole Yeah. Trends. The mega trends and what's going on from my perspective as a cyber incident response guy, right? So what, what am I thinking about and what other newer cases we have? Yeah. And what is, what is the development and, and for what do we as incident responders need to get prepared.
And that's maybe a bit around here. So one thing is the whole mega trends like artificial intelligence, smart industry for zero internet of things and all this, that is a development. What we see more and more, and you all know also with new mobile standard that the whole factory gets connected more and more. So we have more and more connection not machine to human. It's machine machine. Everything is connected. And when we look on the security maturity of those devices, it really makes us afraid. And those devices will Yeah, they got sold now they are implemented, they are in the market, the things are connected and they will last long. So they will be there in a factory. The machine, when they, when it is connected, it is for 10, 30 years depending on the business model. We have connected medical devices. Yeah. Like inline POS and or blood pressure thing.
And this all gets more and more connected. You already can, That's normal when you support your hearing. Yeah. You make it with your smartphone. Yeah. And things like this. So everything also in the medical area will be connected. And this is all Yeah. Hackable. Yeah. Right. This, this is all vulnerabilities and when you look to the security things, Yeah, it's a lot on efficiency and needs to be small and security by design. Yeah. We are far away here and we need to reflect this when we want to get prepared for cyber incident response. So the latest and most interesting projects we are currently making an incident response is within cars. Yeah. So this was hecked, there was something in the backbone. They come with us to the question, were the hecker already in the car and how can you get evidence on this? Were they able to take the breaks?
Things like this. So that is nowadays incident response. Right. And also when you look on the, on the cases, Yeah. The the, the most critical thing is that a factory is affected and then there was a case with a global aluminum produ producer for example, with a whole and the main objective was to protect the facilities because yeah, there are heaters in a factory and when they are attacked, the production process stops and every heater will break and there is millions of loss. And also one big case it's quite a while ago was the mask case. Yeah. I name mask. Because you can read in the press that we were involved in the incident response. The incident response was the smaller part. Yeah. Technically the bigger part was then the Yeah. Recovery. Yeah. To ramp it up again from zero. So no ship did know what is in what container, what is my target hub or so everything, that is a good example for internet of things.
And what happens then? No doors opening, no access to a factory. The roads get crowded because of the The trucks Yeah. Standing on the highways. And so a lot of both stories around that. Yeah. Where you can see this is getting more and more and we need to get prepared that everything is connected and that is vulnerable and we need to make incident response in that environment. And that is industry for zero, internet of things smart and so on. Another thing, and that is the same issue, not in the physical world. So you have this connected everything which makes an issue in the physical world. You have the same within service companies. Yeah. Like insurance companies or banking or whatever, where you have more and more artificial intelligence and software robots. Yeah. Doing the whole process. So there's nobody, when you ask for an insurance, there's no really agreeing.
You get that insurance or you, you have that rating. That's all automated already in the financial industry. And this will be more and more in nearly every process. And that is done also by robot software, robots and AI and so on. And when you look on studies, how secure is this AI and what can you do with it? You realize that there's there, there are a lot of vulnerabilities. So there is a lot potential for the new evolving business models for those groups who are currently monitored by you. Yeah. And they will go more and more to that field. And also we use this digitalization as a chance. The whole industry, the whole society is digitalizing also the hecker groups. So they also use AI and big data and all that kind of fancy things. Yeah. To make them more efficient. Of course it's a business model and that makes it a lot more efficient and they will find very good ways to attack you.
So that is this mega trends on both sides. Yeah. What else is interesting? So we also have seen a lot moving into the cloud and this brings us to something like third party risk management. So we see more and more the attacks are not only a ransomware attack. You mentioned this case, which was today in the hundreds blood press, right? This automotive company where it was a ransomware attack, I think in August, something like that. And now today in the press it was mentioned that they have 40 terabyte of data where you do not really know what is in there. Is it an m and a case or some legal cases or that can be in the data you do not know. It's just 40 terabyte, which says it's a huge amount, but you do not know the risk here. And you see with this, that the hacker to get more pressure on their ransom negotiation request, right.
That they do not only do ransom and encrypt you, they also steal the data until well pay or I leak that. And the difference with this is with the ransom, when you recover, it's gone. It's you're done hopefully. But with the leak data, Yeah, that's a way you, you, it's out of your control. The risk is out of your control. You can't do anything. You can can trust that they will not publish hope, pray whatever out of your control. And another thing is the attacks are not when you are the the target. It's not that you are attacked and you make sure that you are safe and good and have a threat intelligence monitoring or something like that. More and more the attackers go along the, Yeah. Supply chain to the third party. So you need to have a very proper third party risk management.
And you need to make sure that your partners are also safe because when you got hit, you can, you can blame them and try to get money back from them that will help you or nothing. Yeah. Right. So your production line will stop when one of your supplier is hit and when a cloud provider, whatever, we all pray that this is not happening. You have only, I don't know, three cloud providers or so when there's in the tick, I think we all will not have enough incident responders to handle that. But that day will come Of course. So you have, you have here another risk situation. It's good. I do not want to say anything about against cloud. It it's, it makes things a lot more secure. Cause you do not need to think on pitching whatever that is done. So you have a good environment.
So of course this is the only way and that will happen everything. No, nearly everything will go to some kind of cloud environment. Yeah. But that is another risk situation and you need to reflect that in your risk management. Also. You need to have a good third party risk management. And this is also reflected in the regulation like Doha, which is coming up. And that will be then for financial services this next, next year I think. Next year. And also in critical infrastructure. This will be implemented then. So you are obliged to manage that enough on that I think. Or you have any questions around that? Don't be afraid. No, that's, I don't want to make you afraid or but it will be interesting times. Mm. Yeah. So I want to go quickly over that. So also what we realized with this trends that all these cyber things, they came out of the IT area.
It's now a business issue. And we have more and more supervisory boards asking us, well what is your opinion? How safe are we? It's more and more not the cio, Cecil asking us for our opinions. It's more the board. And also when you have incident response, it's a business issue because the business interruption, that's the issue. So when you then ask that is for example, what is it here? Deloitte, it's our, you also see that in the ALI'S risk barometer for example. That's another all come to the same conclusion. Cyber incident is the top risk business risk, not IT risk. Right. Business risk. Interesting. That is in the last years it it's like this and within this cyber risk it's the ransomware that's the highest risk and it's a, as we learned, a very attractive business model to do that. So all it, what has done in former times weapon trading, illegal weapon trading or pornography or drugs dealing or whatever, that is all more risky than this business model.
So they all went to it beside state sponsored activity to to go around sanction via things like, don't know, Russia, Oscar or whatever. So they are not able to to get us dollars. So they use this model as well to go around sanction violations. So that is also a reason why that is very professional business model. Okay. So I think we can skip that. So some examples we already elaborated on some of that. Yeah. We heard already this morning there was a new one every day there's something going on, but maybe we can have a look at one case later.
Good. So the cyber kill chain, we already saw that you are focusing on that part, right? So we are now let's, let's think that that didn't work and you'll see then your encrypted ransomware, we are in that stage in the cyber kill chain. Yeah. So what happens here, that's now the focus we want to take and let me share some insight with you. And also I'm very interested in your experience. So maybe some of you have already experienced that and what are lessons learned and critical success, success factors. So that's a workshop. Let's share our experience and then extract out of that what can we use to prepare something to get better prepared. Then so what happens when, when an incident occurs, So we have an alarm, it got escalated, major incident kind of soc whatever and it got up to a special level and then maybe our hotline or the insurance company hotline or you have your own incident response, get alarmed.
And then what happens normally in the first Yeah. Hours is to make a first response. This is normally remote. Yeah. Within a few hours. Like a triage with the team. Yeah. And decide, yeah, how big is this incident? Yeah, how far has it gone already? And do we have immediate things what we can do to contain it? So focus on containing and deciding what do we need. Do we need on site or not? Depending on the case initiate that someone is traveling on site and what parties we need. And then there's also an onsite part. Yeah. A triage containment analysis activities. We will go to that little bit deeper clear, right. Good. First thing is it will be good when you are hit by an incident to have something like this already in place. So when they then need to go to Google, who is doing incident response?
Is there a list of the BSE who can call, do I know someone and then ask him, Well I have an issue, I need you here into ours. What is your rate? That's a relatively bad position to negotiate on those things. So I I like that. Yeah, of course. But it's also, No, I'm joking. I don't like that because it's also for the incident responder a bad position. You do not know anything on the client. You do not know the system. You have never worked with them. Yeah. You need to onboard them, need to make the whole contract and then within hours and then you normally need to go onsite help without any contracts because you don't have the time. You need to serve that later. And that's always, Yeah. So better do that in advance and make something like a retainer contract or partly it comes with an insurance when you get an insurance and let's get cyber insurance.
But that's another session then. So when you have something like that, you have a network of professionals who help you in that situation. They give you a hotline and they have a network of what you will need. And that's not only incident responders. What we do then is we have different work streams. So that is how it looks normally what you put then on side and you see here recovery response, remediation, investigation monitoring. So and then you have a crisis management team and the communication part. So the lessons learned is that it's not enough to have a good cyber forensics or incident response team. You need to have for sure a good crisis management. So this is done by you, the client or you have a professional there who is used to this kind of situations and that are different management methods. So it really needs to be a good crisis manager.
So not everyone is Yeah. Is good for a job like this. Yeah. For this stress situation, you need to be educated and need to have your methods and how to communicate. So you need to have a good crisis manager and communicate with the board who is then every hour asking to the technical incident response team, Did you so it, are you ready? What is the status? Hop on a call. And they were not able to work anymore because of this nervous management things. And also we have from outside. Yeah. The clients asking, calling and you need, need to make sure that those teams can do their work. And you have on top Yeah, a layer buffering bit. Yeah. And prioritizing and, and make a good communication and situation center and communication plan and do this kind of things. That is one thing beside incident response, technically you need a crisis management, which is good.
The second thing is you need to directly start with a recovery team. And that is also a different skill set. So normally everything is down and you need to start from maybe zero, hopefully you have a backup. But also when you have a backup, Yeah, it's maybe on a tape. What do you do with that tape? Because you do not have the backup server anymore. It's, it's encrypted. So you need to first find hardware where, where do I install this version of backup software? It needs to be the right version. Right Where where's this version? And then you need to have a lot of space. What you normally do not have, everything is encrypted. So you start searching around where do I get hardware? What can I buy to ramp it up? Yeah. Because you normally do not know at that point in time how the hecker got in the system and how long was he there and is my backup clean or is the malware already backed up?
So you, you need to have a A infrastructure environment in different stages. Yeah. Like black, gray, white or red, yellow or green, whatever you name it. Where you write back your back and then check is it clean or not before you reconnected to your network. That is the recovery part. Which is a very important part. Cause you do not know what is the right way now to go. You start directly recovering, which is mainly backup. Is it? Do you have one and is it working? We come to testing of backups later cause often they are not working. But yeah. And to make sure that your network is clean, you need to know how can I see if it is infected or not. And to do that, you need to have here this investigation part. And that is the technical part, the cyber forensics part. So forensics is often meant like being court proof, which is in incident cases not the most critical thing.
Yeah. It's better as a forensics guy to have to set up and try to be as documented as you can and not destroy any traces with recovery things. But more important is speed because you need to get to business as soon as possible with Yeah. Destroying, Yeah, less traces as possible, but it's more important to get back to business. So forensics here in this case is not being court proof, it's more you need to go back to the initial vector where they came in and find patterns. Yeah. IOCs, whatever, how they got in and what happened then. So go back to the machine which was infected first time and then make a time analysis. What happened then? And use this pattern to search in your network. Where is it as well where maybe it's not already encrypted but already in the model is in there.
And also to see what happened after they were infected. What back doors are in there. Because normally the hackers go in the network with, I don't know, an unpatched system or why credentials. And then they have lateral movement and they put in back doors so that they can come back. So when you, when you do not know that and you do not do a proper forensics, you do not know in the recovery if you are clean or not. And maybe you have the issue then two months later cause as you saw it is a great business model also to sell this. Yeah, maybe it's a different hacker group then after half a year they buy that. And then you got tech again with another hacker group. That also also happens. Yes. And also the heer groups reform. So that is one virtual group and then next time we find another name and we see, well this person was there and now he's working in that group and has another network and maybe he's reusing things like this. That's the model, right? So you need to make sure with forensics that you know, how did it happen and how can I close that?
And, and if I may add a note to this, why it is so important. Frat actors during reconnaissance are reiterating their reconnaissance activities because they would like to understand if they have a specific organization in target, they would like to understand their level of cyber resilience. So if for instance they identify leagues vulnerabilities and they test maybe one of these high-privileged credentials, they do it, they test, but they don't use them because they would like to understand over a period of time how this particular organization is operating, how resilient are they, what kind of internal processes are are in place for patch management, password policy management, et cetera, et cetera. Because that again is referring back to the business model because that defines the risk level and correlation to the roi.
Yeah. What you also see here in the investigation part, and that is linking back to you, that we also have here a phase of doing threat intelligence. So it's also one of the first steps when you go into the deeper investigation to find out what group is that. Yeah. By looking in the system, look on the, on the malware, whatever, can you dedicate it to a special group? The pattern? Yeah. Normally they do it always the same time and when you know that is how it happened. Yeah. And that service are used for, for reloading, malware, whatever, you know. Well most probably that is there in the heer group. And it's important to know what motivation do they have because when they, for example our group who steal data away and then put on an encryption to wipe their traces, well it looks like it has a ransomware attack.
But when you then think on, well maybe I pay Bitcoin and then I get a decryption cre, that will in that case not work because it just looks like it's a ransomware tech. But it was to wipe traces could be especially spade sponsored things. Yeah. Could be sabotage, you don't know. So therefore here also threat intelligence, not as a monitoring service ongoing as a one time service to check what do I know and what threat actors are there and what is already in the dark net and what do they discuss is important part good. Also monitoring that is also an important part. Mature organizations, and I'm sure you all are in a mature organization and have a good monitoring system, good use cases and you have a, and you don't need that in my experience, especially when you look on middle market and the German attacked companies are often smaller ones who have, are quite a good security but not so mature.
They do not have a sock or something like that. So they do not see anything. And also in that face, they do not have the capability to monitor their network activities. And in that case it makes sense to put in a cloud-based solution, an appliance, whatever, a piece of hardware in the network to monitor UN anomalies, UN anomalies in the network and find out if the hackers are still active and what is, what is connections to outside which look suspicious, whatever. So if also when you have a SOC and things like this, they didn't discover that so maybe they thought, oh, false positive, let's put away all this. Yeah. We do not have the capacity to look in every, in every incident here. So, and then it does not work. So here also it makes sense to enlarge that capacity. Cause obviously it didn't work. There's a question. Yes please.
Speaker 22 01:39:02 Now when you mentioned, so I wanted to jump on on this question. In the case when the company actually have their own soc, when would you say it's time to take the incident from the SOC to incident respond team?
Yeah, so that is very often the case. So we have clients who outsource to Deloitte the SOC functionality in different ways and then our SOC escalates to the incident response and triggers that also we have clients who have their own SOC and have then here I don't, we're already and have here a process in place when it is classified as a major incident and then they yeah identify here this is no incident case and the next level needs to be taken. So this is a question of defining the process. What does the so handle, what are they capable to handle? What criteria do they have? Yeah. And when it's above that, that criteria, then they are applied to escalate to a service provider or whatever. Normally that is also one issue. Very often you have a nine to five sock operation and that is also the heck and all that they are really, they do normally things like this on Christmas, Friday evening and things like this. So also that is an issue that you have a 24 7 hotline for incident response, but you only have yourself a nine to five sock operation, which is also then a metric, right?
Yeah. But does it answer your question? So it's a process definition and criteria defined. When do I alarm the incident response? Good. Yeah. Let's, let's have a look a bit on, on some phases. So you saw already here this recovery response and so on. Let's have a bit deeper look into that things. What can we learn from here? So we will come to that in the third session as well. Visibility in the containment phase, especially on assets, that's very often an issue. So very often we have the situation that we go on site the client and start with the recovery stream and fairly okay business, tell us what business is most important, what do we ramp up first? What second whom can I ask? Who is the owner of a business process, whatever. Do you have a BCM with a business impact analysis? Business impact analysis.
Then we can just look in it and everything is defined there. Unfortunately, very often they do not have a good asset management asset inventory. They do not have ownership and they do not have a bcm. And then you start with a small business impact analysis in the recovery phase, which is then not the I thing. So lessons learned. Yeah, things can get prepared in advance. Yeah. And when you have that, it makes it a lot easier. And when you do not have any clue what assets do you have and to what business process is what server belonging. Yeah. When this server is work, it is a way you do not know what business process is affected. And then that's really not an I situation for an incident responder. So visibility enterprise-wide to assets. Yeah. And ownership. Yeah. And also with including third parties is a very essential part.
And also that is then a bit to containing to have a good segmentation. So I often wonder when I hear, well ransomware whole company worldwide get infected. That was for example the mass case. Yeah. Within two hours. I think the whole globe doesn't sound like they have had a good network segmentation or they were too slow to shut it down because they were not monitoring whatever. So in that cases, when you read that in the newspaper, you need to, you need to ask, well maybe the, the monitoring was not not sufficient or the segmentation, but normally nowadays that doesn't need to happen anymore. Right. The next phase, I need to speed up a bit. Eradication. Yeah, there is, I already stated the incident analysis is important to know about the patterns to clean everything up. And then also endpoint protection and things like this. That's a very important thing you normally roll out then tools. Yeah, EDR tools, whatever. And also in the first step, patch all the systems to the newest level and do all those things. That is part of the eradication phase and recovery that we already discussed. This I will point here, especially on backup strategy. So we come to that point a bit later. Normally you have a good incident playbook and you can just look up the playbook and then go along that in an incident case. It is good when this is tested and you will realize also things that are not working. Sorry,
Can you take over? Sorry.
So yeah, with regards to that pickup strategy and the recovery strategy I've just mentioned, the thing is, and of course also with testing is, or let me different with a, with a, we got a question actually the morning session, which I wanna, I think fits you in quite well because we have that recovery, maybe you guys remember point objective of, for example, life, life data backups for example. We had that one. And that's an interesting thing because nowadays of course when talking about for example, ransomware proof backup strategies, that's a whole different discussion because to enable, for example, ransomware proof backups, this for example then requires stuff like containment or container vaulting systems. So the thinking of backup strategies, thinking of backup intervals and stuff like that, especially in protection to ransomware for example, is a whole different story. And why is this important for the recovery phase?
Of course that sets first the ambition, what you actually have at hand. Or I've talked also about what you kind of proving whether your backups are actually rent to approve or free first before you can roll it back. But then it's about that environment you can actually set up in order to to to get ready and recover and, and test that. So that's important stuff for the recovery phase. And also because I mean when you would also maybe for example say well you got recovery plans and stuff and you you, you have certain stuff already covered in, in a stage that you would say, well I know how to set up this server. I know or that environment that that application. But then the whole thing is the overall orchestration meaning kind of what if you especially have to do it from scratch, what really comes first in which order? And also what's kind of the, how quickly is it bringing back my business for example? Because that's then the overall really orchestration of the whole situation of the whole thing, which is far beyond what you usually do as part of regular backup or restore testing where you have like individual applications for example. But then when it's really the entire business from scratch, that's again then a whole different story and is in many, many cases we experience done actually in the case itself.
I'm jumping a little, Oh the question a second. Sure. Sorry then
Speaker 20 01:47:36 No issue. So when you start your incident response activity, there is this forensic work stream you and you try to, to get a grip on the threat activities. So what is your best practice in your estimation? How possible or likely is to, to hide your response activities from the actor? So there there are grouper emails, just network activity. Does it make sense from your point of view? Does it have benefit?
So you mean hiding if you're defected the company hiding from the attacker from a threat actor, what you are currently doing.
Speaker 20 01:48:21 So they call in Deloitte and you, you start with all the activities you with recovery and et cetera.
Yeah.
The better you can hide, right? So the threat intelligence part is important. Yeah. How do they normally behave and how do they got in to see what is normally what they are doing and to keep away from that area. But it's always a risk and you need to judge, do I shut it off now or do I keep it and see what are they doing, monitor them to learn what, what they're aiming for, right?
And the other thing to add
To that is you need to judge in a lot of situation, you need to judge, well I go that way.
And also to add to that, since it is a business model and ultimately they kind of want you kind of to, to get back at some point, right? Because I mean maybe in the future you're a victim again and you're paying again or so there's always also that in parallel, or not always, sorry, but in many cases there's a negotiation stream in parallel also going on. Meaning that we talked about also different roles for example at a tech groups for example, which have like people are good negotiating for example, where you're negotiating a to ransom some itself on the amount. And I mean of course they know that you're going to do that. And for example, I mean if you're shutting them down completely, for example, your network and of course you can clean up step by step and make sure that potentially nobody's in there anymore, they cannot see it anyhow. But of course they know what is going to happen at some point if they did their work in a good fashion, then they know what you can actually do without paying or with paying and then yeah, basically. So it's not, it's not too big surprise anymore to them. So yeah. Does that answer the question? Perfect.
Those simple test practices.
Yeah. Well that's, I hope that's not the key takeaway, but yeah, I mean it depends. Right.
Speaker 11 01:50:30 And I also wanted to ask, so you guys also do like the negotiations during ransomware, is that correct?
It really depends on what's being asked. I mean that's, that's, that's a stream which is usually going on because for example, you have that ransom note with an id you have that a chat or an email address where you can reach out and that's yeah. Either either supported by us or whomever. Yeah.
Speaker 11 01:50:54 But how often do you come across the requirement from the threat actor that they are not supposed to involve the professional negotiators?
You mean that the threat actor is, for
Speaker 11 01:51:05 Example, some of the threat actors state explicitly that they're supposed to negotiate themselves, they don't want any middle man. Yeah, because then they can kind of get better conditions, you know, with the victim that is less experienced than the professional negotiations.
Yeah, well that's a tricky one. I'm,
That happens. Yeah. So you're, you are referring to the real life example. If somebody's kidnapping a high profile victim and doing the call and do not involve police this kind of call in the like of threat without professional negotiators. Well yes they do because the pro, because the professional negotiators, they obviously know how to handle such situations and they are quite successful in lowering the ransom and that obviously is not wanted by the threat actors.
Speaker 11 01:51:58 So, and my question is, so you then you are trying to hide your presence in the chat for example. I know, I don't mean like the instant response strictly, but during the conversation with the threat actor.
Yeah, in general, I think it is not a good advice to the client to go for paying the ransom because when you really calculate, first of all, you put oil into the whole business model. So it will maybe be the case in, I don't know, a year or whatever that it's forbidden in some countries it's already forbidden. I think that's a good idea. Germany currently not. Okay. That will maybe change, don't know. So our advice is always not to pay the ransom because also the whole thing you, you try to speed it up and you calculate, well I lose 1 million a day, the ransom is 6 million, so six days it's a good break even, right? The issue is you do not know how did they come in and you decrypt and then you are final. That's not the case. Yeah, you need to do all these things as well because you do not know can I trust the network and are they still in and you pay twice, whatever, so you need to, it's not really cheaper to pay when you do it.
Right? Right. So I don't think when you have another option when you have pickups and you can restore, Yeah, that's the harder way. Maybe it looks like staying longer, but I think it's the better way because then you know, you have a clean network and you can start again. You are just buying a key and then thinking, well I put into that key also, decryption takes a really long time because the software is not made for decrypting, it's made for encrypting. And yeah, so also it's not that you are up and running after a day again or something like that. So you need to put into consideration as well, when you pay ransom, you need to know to whom do I pay some Bitcoin wallets are already on the centralist. And it could be that you ask di yeah, what is that group? And then he says, well could be that it's a Russian stage thing, right? And when you then pay you, you have a sanction violation of of European and US sanction this. Yeah. That is then also a high risk. It's terrorism financing, maybe many laundering, whatever it could be. So you need to really be sure what you are doing there. I I think it's not a good advice to go with that way.
Yeah. And if I'm,
It's always overview.
Thank you. Yeah. And if I may add something, you always need to keep in mind we are just talking outgoing from a technological issue, from a technical issue, but the chain of implication is justly growing as you've said. It's the question whether or not to pay the ransom. So what is my effort and what is my daily loss within the, within the broken business and and how long does it take to get to this break even? So there's one aspect, but that's the wrong way of thinking because if you think it is quicker to pay the ransom, the political dimension, the political implications are that just huge. Right? And this is something you need to understand. Just for instance, if you are threatened by, by a North Korean threat actor group, you are completely lost. If you pay the ransom, you are financing terrorism and that puts you automatically on the US sanction list. That's how easy it is.
Speaker 20 01:55:59 One, one moment. The technical side has problems as well. This decryption software is not very well tested. So we have seen that small databases and files with hundred megabytes decrypt well, but if you go into gigabyte databases, you are stuck and it's so slow you are running into weeks to get the whole thing decrypted.
Yeah, just, just to add a note on that, you're absolutely right. Think of the open source mentality when you're a developer and you just go into the open source community and you just say, Well I just need to have a particular code snippet, which, which creates a specific file which I then use for logging services for instance. This kind of open source mentality happens in threat actor malware and ransomware development as well. So they buy in the encryption functionality and the develop of that encryption functionality guarantees. Then also the decryption functionality works. And then we get to that point, usually these threat actors who are then using it, they do not pursue any kind of QA and they're stuck. Yeah. So you've paid the ransom, you've received the direct decryption key and it doesn't work. Yeah. And that is important and that that relates back then also to the aspect you need to know with whom you are now in this business relationship, like in any regular business relationship, you need to understand how trustworth and reliable is the other party. And we're in the tricky situation because of the circumstances.
And one last fun fact before to that, to that point you just made, and before we close the session for, for a final break before for the last slot. Fun fact to that what you just said, because maybe or use also said Decryptor may not working pretty slow or maybe not working for file, certain file types, certain file sizes. We actually, in 2018, I think we were the client where we had such a case where the decryptor, after they paid the company, paid the decryptor wasn't working for a certain file type. And again, business model, we texted the attackers via that emailing book they had, we said, it's not working with it in that file type and the company already paid. And then they said, Wait a second, just send us a sample of such a file type. We did that and they sent a new version of Dead Cry.
So they kind of had a little fix to it because again, business model and because they don't wanna get in that position where people say, Well you can pay, but it's not working a hundred percent or so. It really happened. I couldn't believe myself. I I would be like, well you're, you're, you're telling you're making this up, but I saw it myself. So yeah, closing with this fun fact on that note, again, business model, trustworthy per trustworthy group. But yeah, it, it happens. Thanks for the engaging discussion so far. We are really little over time before we start with the third session. Let's, let's take only five minutes if this, that's okay with you because otherwise we got some time issues. Sorry for the last lot. So five minute break. Thank you. And see you in a second. All right. So people are coming back in.
So, and I hope that you also in the stream of course are back with us again. It was a little longer, but yeah, well there with us 50, we now are in that third part of that session and I mean I've already seen a couple of new faces now, some phases with which we're still in the first two sessions here with us, but we'll briefly do recap and also how to connect that. And that's basically also going to be a little interactive with the three of us. And especially Dick and I will, will elaborate on, on some stuff here again because if we, if we think back and recap slots one and two, so in the very first slot, especially Dick was calling from that threat intelligence si or yeah, view meaning briefly, Yeah, what's the heckers view, what they can get, what they can buy, what they can obtain, how they can skip parts of the kill chain, for example.
So really everything about knowing the enemy, understanding, yeah, kind of how a potential attack group, serial attacker or a threat heta so to say could work that sentence. And then we had the part, the second part from ra, which was about that incident response part. So when something actually got or happened already, when you got hit, when especially all the first steps of the kill chain have been overcome, an attack was carried out, what needs to be done, especially in the first 24 hours and what can help. And now in this third slot, we're going to combine it from, from different angles, both being technical but also organizational perspective on how to break the call chain. And I think earlier we had also an interesting question in the chat, which was I think if I, if I recap it correctly about what's the, the best way or most efficient effective way to to in which part of the kill chain.
And we already said, well, not only it depends, but we said kind of from all perspective because of course that the early you can do something about it, the better. But still you're not a hundred percent safe of course that something happens in in further further stages. And that's exactly where we're going to take a look, especially from the preventative side. So when nothing has yet happened or the attack has not been yet carried out, but also then when the attack has been carried out. And before I hand over to Derek in in a second also because we talked about threat intelligence already quite, quite a lot. Sorry, that's a little bit blurry. I'm just seeing that here in the pdf. But there is different types also of threat intelligence and here it's listed as strategic threat intelligence, operational threat intelligence, technical and technical. And that's also important for, for what will come then the next roughly 35 minutes to, to have that in mind because different types of threat intelligence serve different purpose.
And whereas for example, strategic threat, inte intelligence is more on the board and senior decision maker level. Level for example, you have extremely technical threat intelligence information, for example, with regards to, to security Analyst or for example, technical stuff to incident responders. So it also depends on the audience of course what they, what you do about it, how you filter that and also define what you do because you're not saying I'm, I'm going to do threat intelligence. You need to define of course what you wanna do with it afterwards to define the audience, to define what to collect and to evaluate. And this will be then also relevant to, to what's coming now, heading over to you very quickly for these two.
Yes, thank you and and upfront two apologies, I think we will overrun. So we are between the session and the happy hour later today. That's one aspect. And the second apology is then going out to the online attendees who can't join the happy hour afterwards. So I'm sorry for that. So threat intelligence. So we had during the break an interesting conversation and the terminology threat intelligence is widely used. Threat intelligence consists of multiple aspects, multiple domains and multiple kinds of activities. And one thing we are proposing is the external threat landscape management reading through the attendees list gives me the impression that a lot of identity and access management practitioners are sitting in this room or joining this conference, either physically or virtually. So with the principle of identity and access management, the internal threat should be covered not fully because there are specific aspects to be added to this.
As I said at the very beginning, security consists of multiple layers to provide and to build a very comprehensive and, and and basically a holistic security strategy existing of multiple components. External threat, landscape management is the very precise understanding what is happening outside, what is happening in the threat landscape, what is happening in the shady areas or the cyber world. Making understand who they are, what they're doing, who's collaborating with whom, what is their expertise, what are their ttp, So techniques, techniques and, and, and, and processes. What are their methodologies, what's the motivation? So we're not only talking about their technical capabilities, we're also talking about again about the business aspects about the business model. So what are they after, what is their motivation? How they are driven, how they are triggered. And that is something which needs to be understood because that is influencing any kind of further process after an incident.
Referring back to the incidents response activities. Because you would like to understand how reliable, how trustworthy is that particular other party where you are forced into a business relationship that needs to be understood. And threat intelligence helps upfront to understand the threat landscape, the actors, the players, the groups, the activities, the techniques, how they communicate, what they communicate, what they exchange, et cetera, et cetera. So what we call the next generation of threat intelligence should be a predictive, it is today possible to identify impending threats way ahead of time. Now think about the kill chain again, picture the kill chain between stage one and stage three to four. Between three and four is what we tend to call the boom time. So this is where the actual infiltration happens or the attempt of infiltration. And this is something which is important to understand. This preliminary time before the boom date or boom time is incredibly long and that's a valuable asset because as I said in between threat actors are very precise in their operations. They would like to lower risk, they would like to understand where the low hanging fruits really are. They're not just, you know, hunting a rabbit just because it crosses its way, it is a precise operation over time, which allows them to picture how vulnerable an organization at all is. And that is the key essence. It is not about the technical vulnerability of a buggy software, it's the vulnerability of an organization at all. And that consists of multiple aspects.
So the predictive information which can be generated by the way, by us obviously should be actionable because the question is always, once you have that particular information, what should I do with it? You need to make, or you should be put in a position where you take this information into the understand what to do with it. Either because of your own expertise and capabilities or by service providers like support by consultancy agencies, whomever there is with their particular expertise in that domain. Who of you have subscribed to the IOC newsletter? Do you know what that is? It is shared by the bsi for instance, which sends on a regular basis a file of IOCs of indicators of compromise. And that list is long, several, I dunno, hundred thousands of entries. So how useful, think of it, how useful could that be for yourself? It's, it's a question. Do you think that's useful?
Speaker 24 02:08:23 Not very much.
Why?
Speaker 24 02:08:26 Cause those, those,
Speaker 16 02:08:29 Sorry,
Speaker 25 02:08:33 Those addresses tend to be used by quantum delivery networks and stuff like that. And maybe one day there is a malicious website behind one address and the other day it's gone and the addresses stay. So if you use the IP address as an, as an ioc, it's not worth, I think more than than a week or so. Yeah, you cannot, you cannot maintain the stuff B
One aspect. The other aspect is what is your personal implication personally in the terms of what affects your organization? Yes please.
Speaker 14 02:09:05 But I think it's very important because this ioc, as you said, they are one week but you have to update them more than Yeah,
Speaker 24 02:09:14 But those staying the ones that are not useful anymore, staying the lists. So the list is just, you know, currently growing.
Sorry, oops. Yes, your point is fair, your point is fair as well. And you are right, this list is constantly growing. So the e entry's on the remediators because of whatever kind of criteria over, yeah. So what needs to be done with intelligence, with this predictive actionable information, It has to be personalized. It has to match you, your organization. You need to instantly understand why that particular information is so important for me, for my organization, I don't know, with a risk scoring whatever. So that for instance, a particular vulnerability is identified in relation to an asset which is exposed to the internet hosted by you or maybe a third party supplier. And, and and also then understanding why this vulnerability is of a high or a low risk because that dictates your activities. If you think about your IT operations from a process level, you have your patch management in place, now you have your regular procedures completely automated. But what is not included in this is hot fix management, security patch management, these kind of imminent and immediate activities required to secure a system.
And that is something which needs to be understood because we all, as we are standing here, we all are short on resources, we are all on short on experience resources that does not only apply to threat actors because there is so much business opportunity out there from their perspective and they're so short-staffed. So are we, I mean think about your own open headcounts in your organization and that needs to be addressed and that could be addressed by the appropriate technology to limit the demand or to reduce the demand of head counts of expertise. And obviously it has to be adaptive, it has to be understandable for everyone, for every role within your organization. Might it be the SOC operator, might it be the executive level, the csaw for instance. They need to be able to understand what the information for my organization means. There is the value. How do I need to act? Because you would like
Not only to collect and analyze the information and the ideal scenario you would like to automate out of this information, you would like to take this information and say, I'd like to integrate into a CM process flow into a so playbook definition because that is then shortening the time and effort to remediate that potential risk. Risk is a key here, which is important because you are put in a position where you are able to identify lateral risk but also an imminent risk. Lateral means it is outlining your organizational vulnerability, which could put you as a target of fed actors. The imminent risk level is where you are in target, but you would like to remain at this lower risk definition. You would like to understand what do I need to do to become invisible to threat actors? And that is important and that relies on this threat and diligence approach with this predictive approach. Because again, ultimately Lee, you would like to remediate any kind of risk you would like to understand. What do I need to do to take my head off the silver plate questions by the way? Comments? Okay.
Speaker 26 02:13:25 Okay. So one of the points that you mentioned there is the automation and integration within your playbook. Right now the companies are extremely agile. They don't do the the traditional waterfall model. We want to go quickly to the market and I've seen that the companies are tending to push responsibility of the infrastructure or the application to the service owner. So you have your development team that now aside from coding, they do, they have to, to maintain the libraries, they have to patch their, their services and so on. And if us from a security perspective, we go to their go to them and say, hey, I can take a bit of of your time by automating something, but I need that level of privilege to in to directly affect or mess up with your libraries, patch them, I'll update them or whatever might be applicable.
Yeah,
Speaker 26 02:14:24 Where's the point? I mean where, how can I actually influence that culture aspect? Because if I go to my DevOps, they'll say no way. If the DevOps wants to access our security tools, we'll say no way. And the same with the developers. How can I actually influence the culture aspect to say, look, I'm going to save you 20%, 20% of your time, but you need to give me the administrative privilege to perform those actions automatically with the playbook.
So why do you want to request the administrative privileges? So why is it not the vice versa point saying, well I'll inform the responsible individuals to take care of security because I do have detail rich information
Speaker 26 02:15:05 And that is the actual case where we do have the information, we provide it, but at some point it becomes fatigue to to to the actual teams because today it's thel, tomorrow it's the look for J tomorrow, it's the next day it's going to be springs for shell. And then people will say, you know what Baa sorry for the
Yeah, no, no, you're absolutely right. And I just say from a technological standpoint. So what, from an operational standpoint, I would rather think of, okay, so what is the company culture about it? Because responsibility has to be taken, responsibility has to be addressed and this responsibility is something which has to be executed now. And that is something where, where, where the organization should think of taking corrective activities, making sure that these kind of information is used to its highest value. That is my very personal opinion by the way. I can, I can dictate and maybe I'm too strict because I'm of German origin.
Okay, so moving on from, from what we heard about threat intelligence and how to leverage and how to use that. Again, this is the kill chain and bear with me if I, I don't wanna rush through it, but maybe I skipped some stuff where, where I may think we, we got that already covered a certain to certain degrees, but of course feel free and still to jump back and ask a question to it. But again, the kill chain and especially if you look at these first three steps, that's kind of where we are still in somewhat in a preventative face where we, it says shift left to uncover threats as early as possible in the kill chain. So that's one part where we can do something about it. So early detection, avoiding vulnerabilities and stuff like that. But also when it then happens and the attack is actually being carried out, we have that reactive part where we have a variety of capabilities.
We heard about incident response earlier this morning in the workshop. We heard a lot about bcm, business continuity management, IT service continuity management, crisis management and so on and so on. But every wouldn't say exactly every step. I mean of course if you go and really drill it down, but of course in in in in many or in different stages of the kill chain there can be different actions been done. And this is what we wanna focus now in roughly 20, 25 minutes. And in doing that, and it's really a high level of course overview in terms of proactive stuff we, we talked a lot about and heard a lot about of observation investigation. So a lot of what Derek already elaborated on the first session, but also now we have of course different types of vulnerability assessments being IT for our software or being IT for hardware or, and also stuff with regards to cyber compromise assessments.
So there's a lot of stuff already going on in that proactive phase. But also again, because there's, well just repeating myself not at the a hundred percent security, of course you also need to to be ready to, to prepare if something then still happens and you, you actually need to respond to that. I mean it's of course not an issue specifically to cyber. I mean being at c being at other stuff in in your supply chain in general, any disruptions or so, and especially these capabilities I think are somewhat seen to dogmatic. I would sometimes say, and let's say a little unflexible but we'll come to that also want to cover that. Do you wanna do quickly go over that one or should I skip it? Because it's basically just
A quick, it's just a quick one if again, threat intelligence is is a terminology which is widely used. So we need to look at this external threat landscape management aspect. And the first aspect which could come to your mind is well yeah, vulnerability management, I'd like to have all these scans which is then uncovering my its and what shady and and ridiculous state they might be in because they're not patched. And what else is there? This is just one aspect and you might remember and might recall the first session where I said social engineering goes hand in hand with vulnerability exploitation. So the attack surface is covered with the vulnerability management but also the vulnerability intelligence. That's the add on to this is so important. But it is important for the second, third, fourth stage of the execution. Vulnerability intelligence is important to understand it's not only telling you that there are CVEs identified to a specific host.
It is also then outlining the priority, the importance of the CVEs because from the other side out of the observation aspect, we're able then to tell you, well there's vulnerabilities of high importance because it is part of a particular campaign by a particular FRA actor group now, or we can tell you other CVEs are the lower importance because they haven't been used the past, I dunno, 18, 24 months. Interesting aspect to this. This is an ongoing observation because that might change on a daily basis just because a CVE was not in use the last six months, 8, 12, 18 months doesn't mean that there is suddenly not an interest by threat actors to exploit this vulnerability by tomorrow. And that is so important to understand. So we are looking at a scenario which is constantly evolving. So we have the IT infrastructure itself, which is constantly evolving, deploying new holes, deploying new applications, patching applications, whatever there is.
And then we have this kind of friendly fire information which says, okay, CVE documentation, vulnerability detection on the one hand, but then also the cyber threat activities saying okay, where are the low hanging fruits? I'd like to understand the newly detected CVEs or I'd like to identify out of the reconnaissance and weaponization pay phase, which organizations are vulnerable because of, yeah, so this, these are two wheels constantly spinning and that has to be correlated to each other. Important to understand. And also then getting back to my initial statement about the social engineering part, you need to understand what your current exposure is also from a business perspective, what is happening outside your organization about your organization impersonation and infringement, spinning up websites, which is a complete copy of your web application, copying your, I don't know, your online shop, no big deal. Yeah, one customer of ours is a pharmaceutical organization.
Actually they were affected by two incidents. One was the exfiltration of their CRM database. That CRM database was then sold and used by other threat actors to spin up a scam campaign. So they've created a complete copy of their web shop and addressed this newly created web shop to the, attend to the recipients of the CRM saying, Dear Dirk, yeah, long time, no, see you're a valuable customer, please check our new web shop. And by the, the way you get 10% discount if you order within the next, I don't know, four weeks sounds ridiculous, but it has happened. And that forced a severe revenue drop down to zero for this pharmaceutical organization within a particular territory. So this happens. And that is just because this organization was not aware of these kind of infrastructural preliminary activities because every campaign requires preparation and that preparation can't be executed completely undetected. And this is where we step in, for instance, with threat intelligence, with external threat landscape management, uncovering these activities, detailing these activities, and also given evidence then to the affected organizations about the activities so that they are fully aware of the impending threat, being able to remediate anything or any risk which is related to this impending threat.
And then there is another aspect C source like really well it is not about the impending threat, which is specifically targeting an organization, it is also the situation around the organization. What are my competitors bothering with? What is my territory bothered with? What are the ones bothered with which use the same technology stack that like I do because that is something like the flu wave. You would like to understand when the flu wave hits you because also with the details about if you are or are not affected by the flu, say, well let's get me the vaccination because I'm at risk. But I see this out of the situation awareness around me in front of me. So alternatively, and this is now I'm closing my note, external fact landscape management, the value of the information is predictive, it's personalized, actionable, and it's adaptive cyber intelligence. And I think that's the, the value out of it. Thank you.
Connecting back what Derek, you just said. So all these pieces of threat intelligence and then on thinking of how to integrate that and breaking the kill chain from that resilience perspective, we, we brought up in different phases and a different steps that can be done both operationally or organ from an organizational perspective, but also technical perspective. Of course you could, you could for example divide in that proactive stuff. We, we, I think elaborated already a lot about on, but also that post-incident research and monitoring actually when something happens, what's, what's happening with the stuff, for example, being leaked. So is there, is there that was a customer, the leak CRM database for example, is there the, is there risk that stuff is, is being used to, to start an attack again or other scamming activities and so on. So that means it's not only about that pre-active part, but also integrating, especially during and after something happened, to, to see whether there is new possibilities that you get attacked or there's other, Yeah, other risks popping up.
Ultimately, what do I now wanna do is as, as we had on this, So let me just quickly jump back here. Go through, because we have this conversation in observation, sorry, investigation part, look a little closer on these parts, especially of course rec stuff, but also here. And there's different ways to do that. And also, again, thinking back of that question, where can we start to, for example, take a look into the culture and how to break it and what can we do upfront from a preventative perspective? And for example, when we, when we think about software and how, for example, spread can happen in your system, there's the tools out there, for example, where you can contextualize basically if an attack is successful inserted in your environment. So basically after they managed to, to get into the network after they managed to carry out something, an attack to see how, for example, an attack could spread.
So meaning kind of from where would such a ransom tech, for example, jump, which are the paths, for example, and to, to assimilate that and based on, on a real yeah, landscape of the network. And then see which for example, which assets and which paths are being taken. And this is kind of simulation then, for example, helps you to explore these paths to, to fix them all done outside of your network, for example. Because if it's basically an image of, of your network, you can do that without a risk. So let's say kind of a software kind of technical part you can do here to, to get a, an idea and a view on that and also prioritize this. So really simulating how an actual attack, if being successful inserted into your network would jump from, from, from asset to asset, for example. And then fix this prioritization perspective.
What's also not think thought through all the time is from a hardware perspective, and especially when it comes to firmware, because the first part was a lot about software applications itself, but especially where, for example, endpoint protection, just to give an example, may not be able to protect, especially in, in part, as part of firmware boot processes has also weak link where, where you could do basically the same types of assessments, the same types of simulations, and check this with this part of your entire system. And bear with me because I'm rushing a little bit through it now and feel free to ask questions at this point. Last but not least, for not, not going too much again on the preventative side with threat intelligence and the simulations and stuff, of course cyber compromise assessments we also talked about quite a lot and especially when it comes to threat hunting, for example.
Also thinking of or pretending that you actually got breach that you got hacked, for example. And then combining the threat intelligence to that and exploring without knowing or without maybe not having too much of an indication to it, but checking whether you can find something. So actively looking for it rather than having read the, the idea that something already happened but actively searching and looking for that. And I mean, cyber compromise assessments also to that is also then a powerful way. But again, you need to know what you're looking for on the one hand also kind of get that understanding the outside view. For example, what might be interesting from Anca from the outside perspective because I mean, if you're doing just as clueless without having a, a direction or a prioritization, of course you may also end up in a or a, you end up maybe wasting a lot of resources to a certain direction, which is maybe not fruitful or not helping you further.
And for the last roughly 10 minutes, we, I wanna jump to that reactive part of breaking the kill chain or reacting to the kill chain and who was part of the session this morning. A lot of terms may sound familiar and I don't wanna go through each and every step here again, or basically doing the, or not doing the, the basics again, because I think the colleagues this morning did that already quite well. But taking this intelligence view and also maybe from, from from what we experienced also reality from, from actual cases, taking a look, if we, we talk about this as kind of resilience capabilities and again, it's, it's, it's always a, a question of course of definition. So everybody thinking of resilience maybe in a different way. But going through that and if we, if we present now this, this is kind of a first set of especially operational resilience capabilities to see where we can break the kill chain here and also have certain reactive capacity.
And if we start from the top here, and I don't wanna, I mean governance organization policy, everybody's probably, yeah, being already bought by that. But I think the, the interesting thing, and it was also a question this morning and one of the sessions is again, what you define for yourself as being a capability to respond to events, for example, like that, is it only the traditional stuff like being at bcm, I TDM and so on? Or do you see it as a wider, from a wider angle, wider perspective stuff like how much kind of capacity silos or, or kind of knowledge or kind of what's the, the what, what's the culture in the company at all? Because when it comes to events, you can script a lot of stuff. You can try to write play because all over and all these things, but of course it's never going to happen as you envision it on the one hand.
And then it's about how, how much capacity, for example, is that to react at all? Is everybody already in day to day business, for example, 150% loaded and then if something happens there, you're just happy because well, nothing to do anymore until it's resolved or what do you, what do you define as as part of your overall resilience kind of definition and strategy, so to say and being part of it? And do you also see other non-risk management disciplines as part of it and how do you integrate that? So I think that's something which is especially in, in when, when thinking about or when hearing the term resilience, when when we, or think a lot about operational risk management for example, or op risk in general, which is, which is less, the soft effects are less, I think in my opinion, are considered in here.
And also from that part on top here, it's also about from the, from the more strategic, it's called strategic threat intelligence from that perspective in terms of what do I want to prepare my organization for and what is my, what is my exposure? What's the potentially the interest you said kind of what's the, the interest from a, from a threat actor, from a business perspective and so on. So get that understanding, get that context, which helps to weigh better to prepare for actually, or more targeted prepare for for reaction. Because what's still also been done, and we'll go to this in the next step, is a lot on like generic scenario planning for example, or generic risks and threats maybe coming up but less contextual, contextualized within these certain companies business environment or within the specific environment. And then it still helps of course, but I think it can be done better here.
We also learned this morning a lot on business impact analysis, for example, who was already in that session. And I think that's fine and I don't wanna elaborate that on this basics any further, but again, here a lot is on that stuff, knowing actually your assets, that's also one thing. But also what happens actually if assets fail because, and I think lot you also at session, in many, many cases we've seen that if for example, it is then going down and ultimately is then a business issue, companies really often then start from scratch kind of to, to elaborate, okay, what's actually not working in my business or how do I need to prioritize afterwards? So having that wider picture is also something that, that's of interest here and is an awful lot of effort in terms of an investigation and kind of mapping exercise front and you, but will still need it for various use cases.
And the other part of that traditional risk analysis stuff or preparing or thinking of scenarios, it's also about how, how specific you're trying to, to make these for your organization. Because again, you can take whatever threat catalog you would like to and just do, I don't know, like traditional risk assessments and stuff, but what's the benefit from it? So is it really tailored enough to, to your context, to your environment and also what do people with it. Because what we also experience, I think is then when trying to make up scenarios or trying to to talk, have a conversation about actual risks. Not everybody has just a different understanding, but it's taking a a perspective from, from very different angles and that helps or does not support. So the other way around actually all the further steps where you wanna try to make something out of these risks and the threats and the scenarios ultimately.
And I think that's also here where again, that threat inter perspective can come in because it's also great to see actually from the outside or put that view into it, what wouldn't potential threat at think about to tailor these scenarios way more than what could happen. Reality compared to kind of traditional blurry scenarios, which are really superficial, for example, still helpful to a certain degree because you, you engage a process and a discussion around it, but not as, as tailored, let's say, to something that could really happen reality. Think a little bit on of time and again, sorry, because we won't manage it and we won't hold you back for too long for the happy hour of course plans. And that's something not only for business continuity management and incident response below here and incident in crisis management in general. What's also our understanding is a tricky thing is the whole stuff of, of writing plans manual, 10 books, response plans, whatever you wanna call that.
Because the one thing is that of course you're trying to engage the people to do, to be part of the process to engage with it. And there's a quite famous quote which says plans are worthless, but planning is everything because ultimately it's not going to happen exactly as you envisioned it, as you plan for it. But going through that process, engaging with a certain situation or thinking about a certain situation, making something up, building a scenario, a narrative around it is way more important and building a softer part of within the organization rather than the plan itself. Because it's helping people to engage and think in an abstract fashion, in a dynamic fashion. And this capacity, and this is also why testing, exercising is actually so important. The these, the softer skills you develop from that actually are way more useful in an actual situation than the plan itself.
So I'm not saying the plan is worthless of course, but as it's not happened exactly as it's going or as it was initially planned, these softer capacities tend to be way more useful in an actual situation or actually it'd help you to adapt to then the different types of scenarios, the different type of impacts that are going to happen. And this applies both for traditional like business continuity planning, for incident response planning for for emergency crisis management and communication stuff. And still there's a lot of preparatory stuff you can and should do because some basics being at stakeholder analysis and so on, or maybe certain communication templates are still valid and useful. But I think it's a lot about balancing these efforts and a lot of stuff is being done in, in writing, writing documents, writing an awful lot, but rather less on that kind of understanding the, the softer parts of it, the softer benefits that comes from the process itself, but also the training that again, and we had this awareness part as well, but all these things helping to connect these dots. So since we are almost on time, and I, I and I touched upon also a variety of other things and I think we had engaging discussions also on the first two modules. I don't wanna hold you too long off and I hope you bear with me if I skip also that part from you because I think I I would tend to go over to the summary.
Yeah, you're not accept well statistics, I lost statistics. Okay,
Get the statistics.
There was this poll in the second session about the dwell time. And the dwell time is also interesting to understand upon the business size, right? So you can see to the left, it's the number of employees and the duration of the dwell time and it's shorter the larger the organization. And that is for many reasons, one of the reasons is obviously their cybersecurity capabilities. Again, think of what I've said. The dwell time starts with zero, with the immediate identification of an impending threat. Another aspect to this is, and this is the typical phrase, So we are a 5,000 people organization of that very niche. So why should we be targeted? Well, you are the preferred target. Now think about the difference between this very small organization and this very big organization. Usually the big organization has multiple business units and within a tech there was just a subset of business units affected. So their business impact is low in quotes. It is painful, but it is not taking down the whole business where you have this one pony shop being affected and is taking the whole business down. That is a threat and that is the pressure on the organization to be more agile, to be more open, more flexible to this whole ransom procedure. And that is the reason why small organizations are affected at risk on the similar level as large organizations as well.
That's the reason why I want to turn that statistics. I know more statistics, but afterwards
Speaker 28 02:41:00 Can I ask
You a question? Sure.
Speaker 28 02:41:03 On
That, please use that one thing.
Speaker 29 02:41:06 I agree with you from my experience, but you've got now regular numbers. I could never tell people these are the numbers. How did you get this from sofa? It's public. It's public. I, I didn't look at that. Thank you very much. Because I've been saying this for quite a while.
Yeah, yeah, yeah. That's an un that's an unheard message. They don't wanna hear it. Yeah, don't
Speaker 28 02:41:31 Wanna hear
This.
Speaker 18 02:41:31 Just a comment because I remember the query here, this statistics, huh? So Paul, and here I found the 2 82 282 days again.
Yeah.
Speaker 18 02:41:43 Which contradicts massively to the 21 I it was
No, So here's the point. So the, the sorry for slate, the dwell time is between the infiltration and the detection, but that doesn't mean that all the undetected infiltrations are then counting into these 282 days of average remediation and cleanup. Yeah. So these are different
Speaker 18 02:42:11 Objectives. Two days in mind.
Say
Speaker 18 02:42:13 Again, in the end, I better keep the 2, 282 days in mind because this is a total surface.
Yeah. Okay. Absolutely.
Speaker 28 02:42:23 You really have, and people don't understand.
To wrap it up, and I don't wanna repeat too much, we, what we kind of, I think touch base upon a lot. So in general, we have that proactive and we have that reactive side. Of course that's not news. We hope that we were able to shed some light on how different angles from a, from a resilience perspective, being it proactive being it reactive, can break the kitchen at some point. How threat intelligence helps to support that at which stage. And ultimately we're hoping that you had great three modules, three sessions, happy to, to get in touch with you afterwards to get your feedback, to get your thoughts and potentially seeing you. And the, the happy hour was right. That's happening now, right? Yes. Yes. Okay. Thank you so much. And yeah, looking forward to catch up with you maybe later having a drink or so.