Module 1 - CASEBOOK

CCRO Training
COURSE NOTES
MODULE 1 - Casebook
Cyber Risk Academy [email protected]
Document Classification: Class 1 - General
INTRODUCTION
In this module, we explore the cyber threat landscape and gain an understanding of the
key threat actors, their motivations, and techniques.
This material is comprised of:
• Transcript of Tutorial Video – Page 3

(Available to Stream from the Online Cyber Academy) – 70 Mins
• Transcript of the Case Study Video – Page 55

(Available to Stream from the Online Cyber Academy) – 40 Mins
• Cyber Jargon Buster – Page 83

(Key Terms for you to Understand)
CCRO COURSE FORMAT V1.1 - COPYRIGHT 2020 – ALL RIGHTS RESERVED – ICTTF LTD 2
TUTORIAL VIDEO 1 – TRANSCRIPT
Video Reference (00:00:00):

Hello everybody and you're all very welcome to this video. It's titled “Understanding
Cyber Risks and a Little Technology.” My name is Paul Dwyer. I'm your head tutor.
Today, we are going to explore the cyber threat landscape and gain an understanding
of the key threat actors, their motivations and techniques. So, let me begin.

Essentially, we live in two worlds, we live in the cyber world and the physical world. We
have no choice but to exist in both worlds but let’s look at some differences between
those worlds. For example, in the physical world there are laws, there are rules, there
is social norms and consequences to any actions that we carry out and that is how
society operates. But in the cyber world, it is completely different. So, let me explain. If
I was a “bad guy” and I wanted to steal an asset from you, a physical asset in the
physical world, let’s say for example, I wanted to steal your laptop. Well first of all, I'll
have to get physical proximity to that asset in order to steal it.
So, in other words, I have to get beside it. I have to get my hands physically on your
laptop in order to steal it and carry out that action. The chances are that there will be
witnesses because I'm in a physical environment, there may be CCTV surveillance, if
there is and you notice that the asset is gone, that is has been stolen. When you see
your laptop is missing you can contact law enforcement they can investigate.
Potentially, I would be arrested, brought to court to face attribution and justice and
that is normally the way things work in theory in the real physical world.

However, in the cyber world, it is completely different, if I'm a “bad guy” and I want to
steal your valuable asset, the fact is that I can steal that from anywhere in the world. I
can be sitting anywhere in the world, potentially gaining access to that asset which is
your “data”. Steal it and you won't even know I've taken it! So, the chances of there
being witnesses or surveillance or an investigation that would lead in any way towards
attribution or justice is pretty low and that is a fact of life when it comes to cybercrime
and the world of cyber threats. We have to understand that there are two different if
you like “parallel universes” if you want to think of that way and we'll touch upon this
as we go through the material.
But first of all, let's have a quick overview. This infographic shows a nice break down of
all of the different main cyber threat groups. So, for example you've got cyber
criminals and their motivations may be to make money. You have nation states who
may carry out nefarious cyber activity for geopolitical reasons. You may have
hacktivists, who want to do something for ideological reasons. You may have terrorist
cells, who are doing things in order to support propaganda, violence, spreading terror,
recruitment and so on. You may have thrill seekers who just want to do for the fun and
of course you may have discontented insiders who may carry out activities for various
reasons.

This is by no means all of the threat actor groups; these are the main ones that you can
consider but really one of the most important points of this infographic to understand
is that your adversary is in the middle. In other words, you're not dealing with one
group, you're dealing on all fronts because the reality is that all of these guys operate
together, they cooperate at some level and the entire cyber nefarious ecosystem that
supports all of this criminal activity is interrelated. So, you will have cyber criminals
working with nation states, nation states working with paedophiles. This is just the
reality of how this world works and all the cyber bad guys effectively work together.
So, if you're fighting against one cyber bad guy, you're fighting against all of them!
Here in this infographic, we can see a different perspective on that. We can see the
different groups, down at the end see you’ve got your thrill seekers, you’ve got your
hacktivists, you’ve got your insider’s, your terrorists, your organised crime, and your
state sponsored groups. Again, this is not all of the groups, but this infographic is more
to give you an idea of the different skill levels involved, the different motivations and
examples of the kind of techniques that they would use.

So, for example, here we have the threat group of “terrorists” and ISIS developed a
massive organised, a highly organised campaign around recruitment the “Cyber
Caliphate” and so you see lots of different techniques being used. These different
techniques are equally being used by terrorists, as they are being used by criminals, as
they are being used by other malefactors.
So, in the physical world, the traditional entry to the world of criminality was the ability
or the propensity to be violent and that's essentially your ticket in. If you were a violent
person and you had a criminal notion about you, you entered into that world and that
was your ticket to get in. It is completely different in the world of cyber criminality
because what we find is, at the top end of the cyber-criminal groups a lot of the guys
first of all are not very technical but what they are, they are “people persons” you know
that there are highly organised they're great at collaborating, bringing the projects
together, essentially entrepreneurs and that's what you get at the top end of the chain.

And at the bottom end of the chain if you like, are the soldiers, the “doers” that are
doing all these bits and pieces, it's a broken-up economy, they may not know each
other but they all work in cells. They're not even aware of the impact that they're
having on what they are carrying out but certainly they're not what you would think of,
when you think of criminality with a lot of these groups. But that being said these are
highly organised criminal groups. Organised crime groups of this type, that work in the
physical world as well as terrorist groups are leveraging the “cybercriminal talent” if
you like, that's out there in order to carry out their own particular objectives.
So, if you were to go to for example at a site like YouTube and type in the word
“CARDING” C – A – R - D – I – N – G. First you will learn how to shear our friend here
and turn the fleece into wool because that's what “carding” means in the real physical
world. However, in the cyber world “carding” relates to the sub industry of stealing
credit card details and monetising them. So, what you'd find is, lots of videos that are
not just on YouTube but on lots of different websites to teach you how to become a
“CARDER”. How to use carding forums, how to use carding software and that's
everything from you know from teaching waiters or waitresses how to skim credit
cards, to teaching people how to monetise the data when it's been stolen.

My point here is, that this is one of the reasons why this cybercriminal underground
has become so successful, why it is surpassing being a trillion dollar economy, why it's
up there with drug trafficking as the number one crime in the world because these
guys are highly organized, they recruit well and they recruit by teaching people,
sharing the information, sharing the knowledge because they feel they can do that with
almost impunity. To recruit people, to build up their network, build up their ecosystem
because all of these are other cogs in the machine of cybercrime, that they can use as
they teach people but ultimately a lot of these people who get brought into this world
become victims themselves at some stage.
There is an insatiable demand for the product but just like in the real physical world the
fresher the product the more expensive it is. In other words, if you have stolen
credentials, stolen usernames, passwords, or credit card details, what we refer to as a
“FULLZ” data F – U- L – L- Z . Which is a more complete database record of somebody.
So, for example their billing address, their account number, their balances, their
mother's maiden name, that kind of data builds up what we call a “fullz record”. That
data is far more valuable and the fresher it is, in other words that it hasn't been
reported and it's not out there a very long time, then the higher the chance of the bad
guy being successful in using it as part of a scam, therefore the price is higher. So, you
need to think of it like a marketplace. When you actually see these marketplaces, you
learn very quickly how sophisticated they are. They have rating engines on them, to
rate the other criminals because it is axiomatic you can’t trust another criminal.

So, what the sites work on, is that the fact of the “community aspect” of being able to
rate a complete stranger, you don't know their name, you just have a “handle” for them
i.e. a nick name. What you're doing is, you're reading the comments, the reviews from
other criminals, who said whether this person can perform the service you’ve asked
them to do or to provide you with the data that you're looking for in an efficient way.
Also, these systems use what we call an escrow system. An escrow system is how the
sites themselves make money and they do that by acting as a middleman with the
transaction.

So that the site holds on to the deposit money for the transaction and say if somebody
wants to buy say ten thousand credit card details or order a DDoS attack on
somebody's website, the site holds onto this until the customer comes back and says
that they were satisfied with the service and then releases the money to the vendor.
So that advertisement, for those of you recognize that flash animation is well over ten
years old and it shows you the sophistication of how these sites developed.

So, the site we're looking at in this graphic is well over ten years old. It’s showing what
the site looked like at the time and this was when these guys became highly organized.
When the bad guys started building up their marketplaces, when they started
industrialising, turning it into a business. They were able to share skills, share their
services, their utilities, their articles, teach people, advertise different services. This
was a leap in their maturity, proliferation of their activity and even the fact that they
have marketing departments that were creating graphics and images like the one
we've just seen, the “flash” animation with the music and so on talking about “be
independent”.
You didn’t have to part of a criminal group you could be an independent contractor, in
the world of cybercrime. You could work through sites like this. You could obtain any
of the other pieces of the puzzle for example that you were looking for yourself. So,
you might be an expert in one particular area, but you didn't have the other data, or the
other skills and you could rent hire or buy whatever you needed to do that. This was a
key step in the development of it.

It was around that time we saw a huge increase of what we call “hacktivism.” So,
hacktivism if you like, is today's version of somebody going out with placards saying
“down with this kind of war” or protesting against whatever that they have a grievance
with and the point that they want to make.

And we saw this massive proliferation which came originally from a website called
4chan and we will talk more about that over the coming weeks and those of you that
are aware of the term of “Anonymous” because they are not so high in the media these
days but this became a hugely significant force. Highly disparate across the world
different cells with different motivations. Started off essentially, the background to it
was around Tom Cruise and Scientology and a group of hacktivists wanted to protest
against certain things of that but then they would pick different causes all of the time.
And what you found was that this wasn't necessarily bad guys, this was people who
believed in a certain cause or certain reason and wanted to form online protesting. But
they wanted to instil their point and fear and so on and of course was infiltrated by lots
of people with different motivations and different points of view that they want to get
across, not all of them is something that you may subscribe to.
But let's have a look at one other sort of one of many thousands of promo videos of
sort of scary tactic videos will put out there to get the points across.

“Hello Congress of the United States we are Anonymous, we are here to address the current
situation on the recent shut down of the file sharing website “Megaupload.” Yes, there was a
significant amount of copyrighted material being downloaded for free, but in our eyes
shutting down the website was not an effort to stop piracy. Piracy on this site will not go
unpunished we are getting access to the servers of the United Nations, Sony PlayStation
Network, Microsoft XPL, US Bank, Chase Bank, Capitol One, You Tube, Twitter and
Facebook.
We are prepared to unleash a full-scale global blackout of these websites including networks
in exactly seventy-two hours after we send this message if Megaupload is not reinstated to is
not the internet. We have access to banking and credit card information of millions of
citizens.
But it's for the citizens do not fear for your accounts will not be compromised this is simply a
raising awareness, a demonstration to those who doubted our abilities, to those who support
certain people, to those congressmen who want to vote yes on these bills. We are not fucking
playing; you have been warned operation global blackout part one engaged.
We are Anonymous.
We are legion.
We do not forgive.
We do not forget.
Expect us.”
So, these groups, it’s important to understand the background to them because there's
up to date versions of these with different names around all the time and a lot of the
techniques can still be carried out by different types of entities that get behind them.
We talk about that certainly in relation to things like supply chain hacking and so on
and hacktivism and an ideology.

So, what we're looking at there is a graphic of lots of people with shoes on their head so
what's that all about? I mention website called 4chan, this was a website that over a
decade ago effectively became the petri dish for a lot of nefarious activity. A lot of it
just for fun seekers but a lot of it extremely evil in intent, a lot of bullying, a lot of
trolling, a lot of that kind of activity. And where it came from was the fact that you can
go up on to that website and post anything you wanted but your name was anonymous
and what happened was that you would have somebody going over the same posting
pretending to be somebody who has been hard done by.

So, let's say for example somebody puts up a posting says “Oh my boyfriend cheated on
me with my best friend blah blah blah and here's his email address please reach out to
him. Then they would post a picture themselves or some very attractive female or
whatever to see what would happen. And what would happen here was online crowd
rabble rouser and before you know it five, ten, fifty, a hundred, a thousand, a couple of
thousand people may get behind that particular target to attack them and they would
do all sorts of things whether it was DDoS-ing them, whether it was hacking into
accounts exposing all the private information and all of that kind of activity was carried
out. So, this was sort of an evolution in online bullying online trolling that developed
into much more organized scheme where LulzSec effectively spawned the likes of the
Anonymous Group and so on.
So, LulzSec, the name itself was originally short for “LOL - laugh out loud – Security”
and it was to point out the fact that all of the hacks they did were unsophisticated and
were showing how laughable the security was of these big corporations. But this stuff
isn’t to be dismissed or laughed at lightly because the fact is, if you can raise thousands
of people around the world behind your cause whatever that is, you effectively have an
online army to carry out whatever that activity is and a lot of them feel they can remain
anonymous, feel that there is no price to be paid for whatever activity they carry out.
So again, we get this disconnection between the real physical world and the cyber
world.

Again, a very significant force to understand is there, I'm not putting a label LulzSec or
Anonymous on these forces I'm just talking about online forces whether it could be one
person, a thousand people, whatever it happens to be that kind of technique is still and
we see it and all the time in cases of bullying and cyberbullying all the time where it
might be ten, fifty people doesn’t make it any less, it is hugely significant when you can
rabble rouse somebody against that. In commercial terms we've seen cases whereby
people may go online and talk about how they've been mistreated by their employer or
as a customer of a bank or whatever that may be. They may psychologically press a
button in people for sympathy to get people to become part of something.

In fact, a lot of the stuff that came out of this activity was tools such as you may have
come across. Solutions and apps that were known as things like Low Orbit Ion Canon.
These were effectively apps that people were able to download on their phone but
become part of the online protest and a certain time on a certain date they would press
a button and all of the traffic from their phone would go and target a particular website
and this is how these organized groups online were able to take down the likes of the
CIA's website, Master Card and so on because they were able to garnish massive
online support behind whatever the particular cause was.

The shoe on the head is in relation to one of the things they used to carry out was that
if they were hacked into an individual's email account that they may pretend to be
somebody that they build up an online romance with, get them to share some
embarrassing information and then turn around say “Hey, I'm not who you thought I
was and I'm going to share all this information up on you know your mother's Facebook
feed, unless you comply with me when you carry out. And I notice by the way you work
in a bank and that's very interesting because I might want you to do something for me
in the bank.
And of course the person, the target, the victim turns around and goes “I will I’ll
comply, I’ll comply” but they don't believe them so in order to get them to believe
them, to become pawned or owned, they will get them to take their shoe off, put it on
their head and take a photograph and post it. That was a clear sign that they were then
under the control of the hacker to carry out because if they were willing to do
something as ridiculous as that post a photograph they felt they were then in a
psychological phase of compliance that they would carry out whatever.

And this went all the way up to the top, I mean these kind of threats were even put
towards Barrack Obama when Barrack Obama was president of the United States and
this was a technique used all of the time to say that “look we will”, the bad guy would
say “we will let you off the hook or we will work with you in some particular way make
your life a bit easier if you do this. But that was never the end of it because soon as you
start complying with these people they knew that they psychologically owned you and
controlled you and were able to get you to carry out whatever they wanted in more
space. And obviously psychological torture is a huge aspect of that and a huge trait of it
so where it can be seen as being funny sometimes with some of these techniques but
the in the real world the devastating effects were massive.

So, let's have a look at a recent cybercrime price list. The purpose of this infographic is
to show you how sophisticated this area is. So, what we'll talk about in a little bit is
what we call crimeware. So crimeware is software specifically designed in order to
carry out crimes so you no longer need to be a technical wizard or a hacker to be able
to carry out this stuff, you simply need to have a project in mind and you can rent or
buy the tools you need.
So what we have is what they call C – A – A – S. which is Crime As A Service, where you
can rent a hacker or hacker services or bad guy services to carry out whatever the
particular action or tactic that you want to be carried out. And here you can see that I
can buy data, I can buy services, I can buy attack tools, whatever I want and this is just a
sample of different products and an averaged out price in euros after what we've seen
recently and in some of these cybercriminal websites.

If we look deeper into the underground economy and what breaks this up, we put
together this infographic of the top ten roles and again there's many more roles here,
but I think it's very important to understand some of the main roles here. So, we’ll start
of at the left, you’ve got what we call “Hosted System Providers” so they provide what we
often refer to as bulletproof hosting. That is to say that a bad guy does not want law
enforcement to investigate what they are doing so they will often rent part of an
ecosystem from other criminal fraternities or people who supply those kinds of
services that are hidden. Inevitably in jurisdictions that don't cooperate with law
enforcement and as we refer to that and that's a key part of their ecosystem.

So if they’re running a spam engine or they're running their marketing department or
whatever it happens to be they want to know, that they treat this like a business they
invest lots of money into it and a lot of time and they want to know that they have a
secure infrastructure to work within.
You have “Cashiers” who control drop accounts who provide names and accounts to
other criminals for a fee. You have “Money Mules” these guys complete the electronic
transfer so they’re clean bank accounts, I'm going to talk a little bit more about them in
a moment. You have “Tellers” who were charged with transferring and laundering
illicitly gained proceeds. Inevitably this is often done now with crypto currencies this is
done through different apps that can actually launder the cash online into
cryptocurrencies and into tumblers. These tumblers are effectively like you can almost
think of them like washing machines, where they will throw in different bitcoins from
different people and it will come out the other side and they tumbler system itself will
charge a varying percentage in order to wash that cryptocurrency.

You have the “Organisational Leaders” these are essentially the Miss, Mr, and Mrs Big of
Cybercrime, these are the people who organize cybercriminal projects, we'll talk a
little bit more about them as we go on. You’ve got “Programmers” these are the guys
who develop the exploits and malware to commit the cybercrimes. You’ve
“Distributors.”

So, think of it I mean; it's broken down just like an economy. So, if I steal 50,000 bank
account details I need to sell those to a distributor, I'm not going to sell them to a low
level criminal who's working off you know lists of fifty or a hundred at a time because
they want to use bank account details to try and hack in or they want to use credit card
details to order goods online and have them dropped off to drop site. So, you have
distributors you know you have wholesalers you have right down to the retail end. And
you've got the “Tech Experts” these are the ones who maintain the criminal’s
enterprise’s IT infrastructure.

So, they have IT support departments. They cover off everything from the servers,
encryptions, their databases and so much more. You have the “Hackers” themselves
who will search and exploit the application. So, these are the guys who carry out and
manually if you like hack into systems using a lot of the tools as well. And you have
“Fraudsters” these are the guys who invariably are often in the real physical world from
the point of view a lot of the scams they carry out, they may use social engineering and
they may use the data that they have stolen and gained in order to carry out another
scam but they'll also do phishing scam as well in order to work their way into networks
and to steal more data. So, lots of different variants again you're probably already
picking up the stuff of grey areas between these people they may have multiple roles
within the economy.
So, let's have a look at money mules. So, this is an email purporting to hook people in
for a job application in Credit Suisse in Australia and this is quiet an effective one. You
can see that the website looks pretty legitimate and thousands of Australians fell for it.
But the reality here is, when it comes and you often see these signs around in the
physical world from the point of view of “hey, work from home earn extra cash” and
these or you see ads in newspapers saying “international company wants to open up a
country manager” and have a site in a particular country they want to use somebody.

And what the technique here is what the tactic is that they will recruit somebody and
they may pay them for the first couple of months and say to them “Hey listen we're a
big corporation, we have a big fancy website up online” so when somebody does little
bit of research and they say “Yes” because they look like they're well established
they’re in the United States of America, they’re in Australia or whatever” and then
looking to switch to Europe are they looking to come to your geographic location
whether it’s South America, Asia or whatever. And they will try to hook you in, and
they are very convincing, very very convincing. And what they want you to do is for the
first couple months they say listen we're going to put a couple of thousand euro
perhaps into your bank account because you did some part time work for us
And then all of a sudden, the story changes. That story may be that they haven't had
time to open up their corporate bank account in the country and they want to deposit a
substantial amount of money into your clean bank account which isn't being
monitored, isn’t being tracked in anyway by the banking system and they want you to
send the majority of that balance on maybe via Western Union or through
cryptocurrency but effectively laundered that money.

So, let's think what that means. So, what you you've got is a clean bank account, you've
been duped into being the money mule and I say duped but a lot of what we have is
witting and unwitting money mules. So, we've seen that they target an awful lot of
students because students tend to see this as an easy way to make money they claim
ignorance, but they will use their clean bank accounts as part of this and the criminal
fraternity know that it's an easy hit for them to hook these guys on and new student
bank accounts as well so it’s just worth knowing that.

And what they'll do is they'll transfer let's say for example €50,000 into your bank
account and they say “Hey I just need you to transfer €45,000 of that and you keep the
other €5,000 for yourself for performing these services” and pass on the other
€45,000, so you do that. And then before you know you know it you get a knock at the
door from law enforcement saying “€50,000 was stolen from somebody's bank
account and was put into your bank account, what do you know about it.” And that's
the reality. This is how they often clean money and how they transfer money.
Some of the sample titles we see: You get the point here; these are almost too good to
be true. Earning cash, extra significant money, and part time from home and so people
need to be aware of this not to become part of that underground economy of cyber-
crime as well and to be aware that this is how the everyday business of laundering
money is drawn on by different levels of the cybercriminal community.

So, let's a look at some of other reasons why this has developed so much. Well there is
the malicious tool evolution, I refer to this in so far as technology is obviously
developing so quickly. We see this with our latest gadgets and our latest solutions
online and so on. Artificial intelligence being built in and criminals are very aware of
this and are at the cutting edge of technology all of the time.
One of the biggest catalysts that has transformed the world of cybercrime is the
development of crimeware making it easy. Making it for everybody. And that it
becomes ubiquitous that anybody who wants to get involved in any element of
cybercrime can do that because you can simply buy a tool that will carry out whatever
that activity is. So, you no longer need to be that hacker in the toga, eating smarties,
drinking cans of coke with empty pizza boxes beside you those days are gone. These
are everyday people as well that can hire something or just disgruntled with somebody
maybe and want to carry out something or a cheating spouse whatever and these tools
are for sale openly in many cases on the, what I call the surface web. That is the
internet that you gain from the likes of Google and so on you gain access to. Also, in in
the darker areas of the deep web that we refer to as the dark web, as I say we're going
into more detail on that over time.

But let's have a quick look at an example of crimeware. So being very conscious of what
we don't want to do is turn this material into teaching people how to become
cybercriminals. So, what I am going to refer is rather dated cybercriminal tools, but
they will illustrate the point of the ability and techniques that are used by the bad guys.
So, in theory somebody goes to the hackers marketplace they decide what tools they
want, and they go to take that tool, whether they want to hire it or whether they want
to buy it and carry out the activity themselves as related to that. So, the example I am
going to use is a tool called SpyEye tool which is a crimeware tool for stealing credit
card details but also does a lot more things and I think it's a great tool to illustrate some
of the characteristics of how crimeware works. This tool is probably a decade old at
this stage, it used to sell for about US$500 and had many different aspects to it which
I’ll go through.

First of all, let's look at the user interface. It's nice and easy to use, this isn’t command
line stuff this isn't where you know you have to understand your way around different
operating systems and be able to hack your way through. This was a nice easy to use
interface people could go through tutorials everything else like that, there was online
support the whole lot of it as we go through. So that’s actually a screen shot off the
admin screen there.
But first let me explain to you some of the ecosystem they use. They use something
that we refer to as botnets. So what botnets are, are a network of infected computers
or devices. So, you start off where somebody wants to build up a botnet or a network
of infected computers and we refer to that person as a botnet herder. A botnet herder
will then send out a piece of malware to somebody that they click on a link maybe in an
email or they visit an affected website and it starts infecting their computer whether
it's a PC, whether it's a laptop, even a phone, whatever happens it to be and they'll
build up this network by hiding this piece of software in the background.

So when you think of the situation whereby sometimes you did nothing more than you
you've clicked on a PDF file or you have clicked on a link and it's been a little bit of flash
up on the screen and it is gone down. You see nothing more but what you do notice is
from time to time is your battery in your phone is really warm but it's not doing
anything that's because it’s doing something in the background or you noticed the hard
disc drive light on your on your PC or your laptop is constantly whirring or the machine
goes slow for no particular reason. Because probably what's happened is you were
infected and you're part of a botnet you’re part of this kind of network and there is
something in the background of your machine working for the bad guy and you become
part of their army.
These botnets are into the tens of thousands and even hundreds of thousands of
infected computers that these guys can call up and use for whatever they want. And
the way they do that is they install what we call a “C2 server” or a “Command and
Control Server” and that is often on an infected environment. So, in other words, that
could be somebody else's network that they have hacked into. They've installed the
administration panels up to there as the command controls server of SpyEye and they
will have access then through what we call proxies.

So, proxies are computers that hide your identity or confiscate who you are as you go
through and they might go through a number of different proxy servers in order to
hide the identity of the botnet herder. So, it is an overly simplistic view of it here where
we have the bad guy going through the command and control server but he's able to
call up the affected machines.

So, all that piece of software that gets on to those infected machines is listening for is
when does home call us, when does it want us to do something. So, when the bad guy
contacts the command and control servers and says “okay wake up my army of
infected computers” because I want them to do something I may want them to DDoS
something, I may want them to send spam email, I may want them to put through credit
card transactions whatever he want them to do he's able to do or she's able to do via
the command and control server. So that again in a very high-level macro view on what
a botnet is, it's a network of infected computers and this is the backbone of the
ecosystem of bad guys how they carry out spamming and so on is by using botnets.
Okay so let's go back to the SpyEye toolkit and let have a look at examples of how that
could be potentially used. So, you’ve got your botnet herders they’ve got the command
and control server and they go into the admin panel and they set up what they want it
to do. Now formidably SpyEye was used and designed for stealing credit card details
but can also put through lots of different transactions and so on there's so many
different configurations of it that can be carried out. This became the Swiss Army Knife
or tool of bad guys that they were able to do all sorts of different things they wanted.
They could test the environment of their victims machines to see what was on them,
they could monitor looking for keystrokes for passwords, they could as I say take
credit card details or take other information that they need to carry out whatever they
need to do.
So, one of the things they would do for example is every time a credit card was used on
those infected computers those credit card details would be sucked up onto the
command and control server and would start building on the database. Then that
database, of course in theory, would be sold off on the marketplace, on the criminal
marketplace. So, they got hundreds of thousands of computers out there infected and
not alone are they becoming these machines that can be used as part of a criminal
army, but they’re also the data being used by the victims on them is being stolen and
sold, so they’re really swelling the asset here.

So, the way SpyEye works is they can either take up the information on that or you can
upload from excel spreadsheet or CSV file whatever you want to do. And typically, this
was the kind of scenario that we saw was that they would put something then up for
sale on the marketplace and that marketplace might be just a site that sells utilities for
converting data from one phone to another or video from one type to another. But a
market place where there was lots of volume of transactions and they would claim to
own that particular digital asset whether it was utility or whatever happens to be and
that somebody would want to buy and somebody would take out the credit card and
put through the transaction without too much thought process in it.

They would then use SpyEye to automate the purchase, so what they've done is, let's
say for example when they have created the botnet they might have fifty thousand
people on their botnet and they’ve got fifty thousand credit card details they now put
through fifty thousand credit card transactions but the system is sophisticated enough
to do this in timed intervals and so on, to avoid being spotted by the anti-fraud
techniques.
Then what will happen is they we do this in a relatively short period of time so that
they would get paid out by the legitimate site that has mistakenly sold something that
they didn’t realize wasn't owned or wasn't a copyright or the intellectual property of
the entity that has been selling it online.

They will also transfer that money automatically off so this became like you know a
completely automated business model for them because their data and their money
from their PayPal account or whatever account that they were holding that money in,
would then be automatically transferred over and go through the whole process over
to the money mule and then back and cleaned off. So, this SpyEye was effectively
“crime in a box” from the point of view of being able to do it online they were able to
automate their whole entire 24/7 operation and globally for US$500.

So, you can see why cybercriminals, the rate of that grew so much because it became so easy to
do and different regions around the world and that you would simply buy or rent this kind of
software in order to carry out whatever the tactic was.
One interesting thing was, and we see here that one of the competitors to SpyEye was
something called Zeus and I'll talk more about this as we would go on but what the bad
guys would do is they would make sure that they didn't want other bad guys in their
territory. So, one of the key things when they were installing SpyEye was that when
they infected a computer they would look to see if any of their competitors were on
their environment and if they were it could kill off the competitors. So, you can see the
whole mentality here criminal mentality of owning the territory, protecting it, making
sure nobody else got in, if someone else is in there essentially digitally bullying them
out of it by killing off the competitor's software and then protecting that environment
as part of their investment as part of something that they were doing.

So that these are so many different modules, like the billing hammer module was
something that could be used to automate the credit card transactions but it would
know for example which I. P. address of an infected computer to use and pull through
the transaction through related to the billing address. So, let me explain that in a bit
more detail. Let's say for example that one of the stolen credit cards was from London
it would know that when it put through the fake transaction to the e-commerce site to
use an infected computer in London so that when the anti-fraud system looked at it
would say “well that credit card is from London he must be okay or there is a high
chance it is ok” so we let that transaction go through, as opposed to if they put it
through and they used an infected computer in Ukraine or Nigeria it would turn
around and say “nu-uh, we're not letting that transaction go through.”
So, they were able to take out the competition use lots of different stuff. Here we can
see with the billing hammer module, they would use Irish credit cards in Ireland, U. K.
based ones in the UK and so on, all around the world and right down to the locality they
knew where that infected computer was and they would put the transaction through
pretending to be from that infected computer.

So now let’s change gear a small bit, let's look at cyber warfare. One of the interesting
things is that there's a lot of these things we talk about they can't even agree the
spelling never mind the definition of some of these terms so things like cyber warfare,
cybercrimes, cyber security and so on. But this the closest thing to a definition that I
think we can agree on which is “cyber warfare actions by a nation state to penetrate
another nation's computers and networks for the purpose of causing damage or
destruction.” That's about ten years ago that statement came out but ten years on it is
definitely very real and there's a lot of debate about what the cyber warfare is real or
whether it is simply just skirmishes and so on and I’ll let you be the judge of that.

But the reality is you know as Barrack Obama came out and listed the digital
infrastructure of the United States as a strategic national asset and therefore had to be
protected. In May 2010 they started of CyberCom in the Pentagon and this
proliferated around the world conscription into cyber armies huge investment for
different countries because they saw that the fighting in the warfare is now something
that's going to be done on the cyber basis. So, it's so much easier to turn off the oil, the
electricity, the gas of the country than it is to drop missiles on it and to completely
destroy the infrastructure.
So this is why cyber warfare is something that they can hide behind an awful lot, they
can carry it out quite easily and the economist refers to it as the fifth domain – so
you’ve got land, air, sea, space and now cyber space as being the fifth domain of
warfare.

So, we’ll touch upon a little bit as we go through but a couple of the terms, I want to
share with you is SCADA - is short for Supervisory Control and Data Acquisition. It's a
type of industrial control system or ICS. An industrial control system are computer
control systems that monitor and control industrial processes that exist in the physical
world. So, what do I mean by that? What I mean is that all the utilities that you can
think of whether it is water, gas, electricity, whatever it happens to be were designed
to be run and monitored by SCADA systems that use industrial control systems and
these systems were designed to be fool proof, easy to use and reliable but not
necessarily to be secure.

So in today's world these are the vulnerable pieces, these are the soft underbelly of the
world's ecosystem because these are the things that certainly if we believe in the cyber
warfare piece or the target, groups that have been targeted by other nation states
because they want to be able to control the electricity, the gas, the oil, everything
within countries and it’s going on. Later during the course I’ll talk about this in relation
to case study examples of how this was actually carried on, for example in relation to
Ukraine and how they turned off electricity to an entire country in the middle of a
winter to make a point, a political point. So, I just want you to understand about the
systems call SCADA systems and ICS systems and they're effectively the management
systems of the utilities.
Okay let's have a look at project Aurora from 2007 we can delve a little bit deeper.
Steve Kroft Of all the critical components of the US infrastructure the power grid is one of
the most vulnerable to cyber-attack. That's because the power grid is run and
regulated by private utilities which are unbeholden to the government security
decree.
John Mulder: I walk through the steps a hacker might take.
Steve Kroft Here the Sandia national laboratories department of energy specialists like John
Moulder try to hack into the computer systems of power and water companies
and other sensitive targets in order to figure out the best way to sabotage.
Steve Kroft It's all done with the company's permission in order to identify their
vulnerabilities. This is a graphic demonstration of how they could have distorted
oil refinery by sending out codes that caused a crucial component to overheat.
John Mulder The first thing you would do is turn it to manual control so that your automatic
controls aren’t protecting it.
Steve Kroft What would be your main target here?
John Mulder They see elements and the recirculator pump. If we could malfunction both of
those, we could cause an explosion
Steve Kroft How would you do that?

John Mulder The first thing we had to do was actually gain access to the network and that’s,
we'll just go ahead and launch attacks and then return to me to use and we're
turning off the recirculator pump. There we go,
Steve Kroft How realistic is this?

John Mulder It’s very realistic.
Steve Kroft But the companies are under no obligation to fix the vulnerabilities which was
graphically demonstrated in a much more realistic fashion at the Idaho National
Labs two years ago in a project called Aurora. The group of scientists and
engineers at the department of energy facility wanted to see if they could
physically blow up and permanently disable a twenty-seven-tonne power
generator using the internet.
Jim Lewis If you can hack into that control system you can instruct the machine to tear
itself apart and that's what the Aurora test was.
Jim Lewis Then if you’ve seen the video it's kind of interesting because the machine starts
to shudder you know it's clearly shaking, and smoke starts to come out. It
destroys itself.
Steve Kroft And what would be the real-world consequences of this?
Jim Lewis The generators that we depend on for electrical power are 1) expensive 2) no
longer made in the US, and 3) require a lead time of three or four months to
order.
Jim Lewis So, it’s not like if we break one, we can go down to the hardware store to get a
replacement. If somebody really thought about this, they could knock a
generator out they could knock power pipe out for months and that's the real
consequence.
Speaker 5 : This is the leap from theory to reality

So, here to bring it more up to date from 2007, you know is a beautiful holiday resorts
Natanz in Iran. I joke, this is actually a uranium enrichment facility, a significant part of
the nuclear program of Iran. And seven meters underground there is actually where
they carry out their activities. You would think in an air, what we call an air-gapped
environment, that is to say air-gapped means not connected to the internet
environment, seven meters underground how would you hack into a system like this?
So, rather than drop missiles or knock back the nuclear power program of Iran the best
recorded facts around this is that this was a joint effort between the Israeli
government and American government where they created a piece of, effectively what
we call Code Warfare, it was a weaponized piece of software called Stuxnet and
Stuxnet used zero day vulnerabilities and zero day vulnerabilities are the most
expensive vulnerabilities to cybercriminals would sell and they sell for hundreds of
thousands of dollars in many cases. And it’s zero day because nobody knows the
vulnerabilities exist therefore is most powerful kind vulnerability to use because there
is no control or safeguard against it. So, whoever pulled together this software to carry
out the attack on the Natanz uranium enrichment facility money wasn't a motivator

It's one of the most fascinating leaps in the jump from being cyber-attacks to a kinetic
attack because it caused physical damage in what it did. No bombs were dropped as I
say, there was no military deployed. They simply put out a piece of software that
looked for a specific environment and that's all it did all the time, it looks for a specific
environment in relation to how they could find a particular industrial control system,
with a particular fingerprint, in a particular environment.

That piece of software went all around the world until one day it ended up on the USB
key and that USB key was brought down seven meters underground put into the
system down there and it woke up and it lay dormant until it knew it was in that kind of
environment and it knew to look for the industrial control system and as soon as it did
it carried out what it needed to do which was effectively send fake information to the
people administering the environment, caused things to malfunction and knock back
the nuclear program of Iran by six months. So, all in all it was seen as a huge military
success but of course everybody denied being involved in it.
Let's talk a little bit about ransomware getting back to the more to do some kind of
threats that are hidden in organizations. Ransomware has been around a long time but
again because it's become so pedestrian it's become a commoditized to the point that
these bad guys are signing up using crimeware to carry out ransomware attacks.
Ransomware being the fact that you lose availability of your assets so you click on
something it installs the malware onto your machine that malware starts encrypting all
of the information on your machine and any other machine any other data that your
machine has access to in theory and locks things down. And all of a sudden a message
pops up and says “Hey if you want access to your data again you have to pay a ransom
in cryptocurrency. Pay this much by then otherwise the rate goes up and if you don't
pay by X date you will lose your data completely.”

This has had massive devastating effects on not just individual businesses but massive
corporations and also government bodies who we’ve seen literally, complete physical
geographic regions being hit with this across government departments to someone
around the world. A very powerful tool based on the fact that it's so easy for them to
deploy it. But it's also quite easy to prevent in many cases as well and we'll talk a little
bit more about that as we go through. But this is one of the most prevalent threats that
any organization can face is ransomware. When it comes to things like instant
response to someone, we will talk about effective playbooks you can have in place to
respond to ransomware attacks and so on. So, you need to be aware that ransomware
is one the top end pedestrian kind of threats.
There is another kind of threat we talked about and you hear an awful lot about it, but I
want to put in perspective. They are more surgical, and they’re called APT's - Advanced
Persistent Threats. Generally, there's a nation state behind an Advanced Persistence
Threat because what it means is that they’re using a disproportionate amount of effort
to carry out their game.

So, let's juxtapose two things if I’m a cybercriminal or I’m a nation state cyber threat
actor. If I was a cybercriminal, I'm investing a certain amount of time and money and I
want to see a profit. So, I want to carry out my objective to do that, however if I’m a
nation state this may be for geopolitical reasons, this may be for a vastly economic
reasons, security reasons I will use advanced and persistent techniques until I carry out
my game. And that maybe a combination of social engineering, advanced malware all of
those kind of things in order to go after specifically what I want. So we refer to those as
APT’s and APT groups and there's lots of those that we will be talking about over time
especially in the case studies but they tend to be the top end of things and it's very
difficult because it's not really a fair fight if you're trying to defend against the nation
state army and so we get into that in a bit more detail about what can be done and
what's realistic but not to lose faith in the fact that there is a point in actually defending
against these things as well and being able to protect an organisation.
We see the development of the cyber threats in a massive way. So, at the moment
we're looking at these sorts of ultrasonic threats which are coming out which will send
out sounds from people's phones and so on that will call up other devices. So, you won’t
be able, a human can't even hear the pitch of what comes out but it's able to call up
other devices in a room, get it to carry out activities. We've even seen in the non-
criminal world, if you like, we've seen organizations such as Burger King uses
techniques like this to call up internet-of-things devices in people's homes within TV
advertisements and so on. So, they call up Siri or call up Alexa or whatever and get
them to do certain things.

So, the theory here is that something can come through on your phone sitting there
which might call your internet-of-things front doorbell or front door lock and get it to
open up the door or turn on a camera or turn on audio recording or whatever it
happens to be. So, what we’re seeing here, and my point here is the proliferation of
extended technology and cutting-edge technology by these cyber criminals at all times.
So, I mention nation state groups and APT and there's lots of different APT types of
groups. Generally, the poster child for the bad guys in this area is the People's
Liberation Army of China and that is just because that suits the narrative of other
nation states to point the finger in just one particular direction of what's going on. So
here we have the FBI looking to arrest and putting out warrants for or even military
soldiers which has never been done before who are carrying out certain activities and
it's not always the military units themselves, but they are sophisticated.
One of the most famous cases is Unit 61398 of the People's Liberation Army, which is
effectively an army whose job every day is to go in in full uniform and work in a military
base just to carry out these kinds of activities. We've also seen this from North Korea,
we’ve seen this of course from pretty much all of the other countries around the world
who say they do it for security reasons, but the reality is we have to think that they do
for economic reasons at times as well.

Here for example again, one of the environments to be aware of is in Russia is often
seen to harbour the bad guys if you like, so a lot of cybercriminal activity is carried out
from Russia. Why are these people not, you know facing law enforcement and justice?
And the reason is because they're often being used by that nation to carry out other
activities. Again, as I say we'll go through that in cases such as Ukraine national grid
attack and so on. But we see this from a geopolitical reason, so we’ll talk about this
when we look at risk as well in organizations where we look at the inherent risk of an
organization and how she is geopolitically related, so we often see warning shots going
across the bow of other nation states.

So, when there is posturing going on in the Ukraine all of a sudden some of the key
entities in the United States of America may be hit with significant outages or attacks
online. And that is posturing, that is firing across the bow to be able to say “Hey, listen
you know will you back off because you know that we can do things if we decide that
we want to do them.”
So you see that all of the time my key point here for you is that in today's world if
you're going to effectively manage cybersecurity risk in an organization you have to
understand the geopolitical links because what happens in the real physical world
immediately impacts the cyber threat world and we see this all the time. Whatever's
happened politically in the world the dials if you like will change in the control panels of
all the threat monitoring around because you'll see different nation states taking on
different activities at someone as it goes round so it's very important to understand
that link between both sides of things.

And we see as I say time and time again big cases there which were high profile around
JP Morgan and so on linked within minutes and hours the attacks starting from activity
in the Ukraine.
Then we see old stuff in a new way. So here we have the pangolin, the most trafficked
animal in the world. We see animal traffickers; we see human traffickers and so on
carrying out their nefarious activity by using the ecosystem of the cybercriminal world.
Hiding messages, sending payments, processing, laundering funds, secret
communications, all of those kinds of things are using the cybercriminal ecosystem to
carry out this kind of stuff. Not just with animals as I say there is people trafficking,
there is floral fauna, everything you can think of is being carried out on that basis.
And one of the reasons for that proliferation is the dark web. So, the dark web let me
give you a quick breakdown on what the dark web is. So, the United States Navy has
hundreds and hundreds of what we call analysts and those analysts’ job is to monitor
different organizations around the world, different entities, different people and what
they're doing. And they realized that people understood that it was the United States
Navy because of the IP address range and so on, all the time. So, it's very easy to spot
that you are being surveilled, so if you were somebody that was hiding something from
the United States military it was quite easy to understand that it was the United States
Navy network had just visited your website or just visited your organization because
they would leave the footprints if you like the digital footprints of IP addresses and
logs and so on.

So, they developed a piece of software called T.O.R - T-O-R - The Onion Router. And
what TOR was able to do is essentially scramble your location. So, if you think of those
old-fashioned TV programs where someone is trying to trace a telephone call and you
see them you know hopping all around the world that's effectively what TOR does to
someone. And then they decided that because it was a non-standard protocol that
everybody would still understand that it was the United States Navy that was doing
this so they decided in their infinite wisdom to give to the world for free and all the bad
guys rubbed their hands and said “thank you so much you've now made this pedestrian
so nobody knows who anybody is, you now made it so easy for us to be able to hide and
have this invisible cloak warmer online when we’re carrying out our activity.” And that
gave rise and growth to the dark web.
So, when we look at the surface web that is the internet that you access through your
favourite search engine, say for example Google, you're probably getting a 3 – 5% of
the entire internet because that is the part of the internet you're seeing that Google
has decided is worth indexing and worth showing to people but there's so much more
so much more. It's only a tiny fraction of what the internet is, and all those other parts
of the web are what we call the deep web.

And in the deep web there is an area of that called the dark web and these two phrases
are often interchanged and you're not getting it wrong if you interchange them but it is
a bad part of town, if you like, on the internet not available through your favourite
search engine but easily available once you load TOR software and it's like going on to
the internet ten, fifteen years ago, that's what it looks and feels like. But it is an area
where you can buy drugs, you can buy weapons, you can hire murderers, you can buy
stolen information, stolen goods and at least some statistics will show that maybe 70 –
80% of the traffic there is actually child abuse imagery, so it is not a nice place to be.

There are some good parts of the availability of this, for example, for anybody who is a
target of a government and being oppressed in any way they have this technique, and
we saw this in the Arab Spring and so on. Being able to communicate and hide that's a
whole other story and we will talk about that again in another module. But for the
intents and purposes of what I'm talking about here you think this is a bad, evil place
and not particularly somewhere where I would advise anybody to go and play around
with because generally people who visit are fascinated, become desensitized very
quickly and then become victims of something there online. So, just to be aware this is
the marketplace, the area, the environment that these guys are working.
Here I'm showing you some examples of screen shots from the dark web. You can see
that any kind of drugs can be bought and again this is a rip off from the point of view of
rip off sites because it's a community based; they are selling because they are
successful. In the top right hand, there we see Silk Road. Silk Road did over one billion
in its first year of trade. These guys are using cutting edge technology. So, on the big
red box in the centre you can see this is a murder website where you were able to hire
somebody to murder people, to cripple them, to rape them, to bomb them, or to beat
them. And you see the price range depending on whether they were regular person, a
public person, how many guards they had.

And the reality is that most of this is real. And it's real because there's no point in them
putting it up there if they don't have satisfied customers who were putting up reviews
of the services so they can get more business and so on. And then we can see our
pangolin up in the top left for sale. We see insider dealing in the bottom left hand side
there. Those kinds of sites to join, six figure sums to join and then when you go in you
can see all the insider information that’s being shared. Above that we have the Islamic
State websites where they were showing people how to plant bombs, and not just how
to make a bomb but how to plant to cause most damage, how to put rat poison on the
nails so that when people would become victims of the blast, they would become
affected.
So, you can see this is an evil evil area and one of areas we see within that is even organ
harvesting. Ways that you can order different organs and of course they are coming
from people who are either being trafficked, kidnapped, street kids whatever happens
to be, so this is an evil part of humanity connected in the dark web.
So, let me now give you a quick overview of the anatomy of a standard kind of attack.
Okay, so all hacks and attacks are a little bit different but what I'm going to do here
now is I'm going to walk you through the standard sort of protocol or steps which I
think will open up your eyes to see how well organized these guys are and how they
operate. It'll pull all the pieces together that we’ve just gone through.

So, first of all you’ve got your bad guy and your bad guy decides that he wants to do
something, whether he wants to steal data or bring down a website whatever happens
to be. What they will do is they will carry out the reconnaissance and reconnaissance is
stage one. And they will look on open source intelligence forums and by that, I mean
Facebook, LinkedIn, Twitter and so on and they start building up a profile of their
target, whether that’s an individual or an organization. So if it’s an organisation they’ll
be working out well who is in charge of security, who's in charge of payments , who's
the CEO, all of those kinds of things that are and this is called, D – O – X - I – N - G.
sometimes called the D – O – X - X- I – N – G. And what that is, is building up a profile to
understand the infrastructure and the ecosystem of that entity you're going after so
that you can carry out whatever social engineering whatever scam you need to be
which may be part of it and the more information you have the better from that point
of view.
They now go into the next phase which is weaponization. So, weaponization is choose
your weapon for whatever they have decided to do. So, let's say for example they
decided that they want to hack into a retailer, steal all the credit card details, whatever
they will start “well hey, we're going to need a phishing website, we're going to need
some targeted emails, we're going to need to put on some malware, we’re going to
need to exfiltrate that data out. And they will break down all the different things they
need and all the different weapons they do. They may decide that they want to do a
DDoS attack as part of what we call a blended attack. A DDoS attack would be a
Distributable Denial of Service attack which is effectively sending tons and tons of
traffic at somebody’s website or somebody's web facing resources in order to make it
fail. That of course would discombobulate the security teams in the retailer, it would
distract them and therefore the bad guys may be able to carry out whatever the real
plan is. We see that as part of an awful lot of attacks.

So, they will then find a target they want. So, in this case let's say for example that they
have decided that they want to target someone in the head of marketing. They send
this particular lady a really customized phishing email which is pointing out some
known information in there. So, they might know her boss's name, they might know
that they’re traveling at that particular time and they will psychologically customise
that email meant to give it a higher rate of being clicked on. It could be even something
very simple like knowing that socially an aspect of her that she's into race driving or
she could collect budgie gars so whatever happens to be. They'll send something that
has a psychological trigger that somebody is more inclined to click on.

So, they'll send the email to that target and as soon as that target clicks on a link,
whether it is an attachment or a link or visits a website, whatever vector threat they’ve
decided that they want to infect that machine with, that's all they need to do. Takes a
split second and they will install that piece of malware on the machine. As soon as
that's on her device on her workstation or laptop whatever it's on it is now effectively
like it sitting at her desk in her office and he could see whatever she could see. But one
of the first things that it will do, is it will phone home over the internet so to speak and
it will talk back to his command and control server going back to that break we saw the
botnet and so on.
So effectively this infected workstation is now phoning home to the bad guys at
command centre on will accept commands. And as soon as it does that the command
may be to start sniffing around the network. So, again it's sitting like this lady in front
of her workstation, it's able to see whatever she can see on the network and it will start
sniffing round, moving laterally across the network. It may decide to bring down more
malware from the internet and install more tools rootkits and so on that can be used so
these are other toolkits used by the bad guys to carry out more reconnaissance
internally on the network. Because they got, their foot in the door by getting her to
click on the link once they got their foot in the door, they can happen down anymore
tools and things that they need and have control over what's going on. They also have
probably full control over her machine at this stage, so they are monitoring her
keystrokes, they’re picking up her passwords. They're getting everything they need,
and they are building up all the profile of what's going on.

So, they're now into exploitation mode that they’re going to look across. They start to
exfiltrate the data back out to other sites. In, for example, the case of the big retailer
targeted attack we saw this data going off to three different sites because they had
resilience built into their attack program where they thought “well if one SQL database
goes down at least we’ve got two others.” And they have three streams of the data
going out at the same time and the stock exfiltrating the data across

And one of the last steps they'll do is they will protect you; they will protect that
network. So, they have gone to the trouble of investing in hacking into you and now
what they want to do is protect your network from other bad guys and they will make
sure that the other the bad guys don't get in onto your network. But what they're also
doing at the same time is making sure that they're not discovered and that if they are
discovered the alarm will go off. This is where we see when people go to handle
instances themselves, they spot someone on the network they make the mistake of
maybe just closing them off on the firewall.

As soon as things like that happen these guys have other back doors now into your
system and what they'll do is they'll throw the equipment what we call a digital
grenade over the shoulder. And by that I mean they might drop a list of all the
usernames and passwords up onto a Pastebin website, they might decide to have put a
load of child abuse imagery onto your network which means you now and are obliged
and morally as well as legally obliged to contact law enforcement get them to
investigate, they may see servers and someone like that and you may have a lot of
downtime as a consequence. So, you have to be very careful how you get bad guys off
your network when they come in, but we’ll talk about more of that in the relevant
module.
So, one if these things this is as I say they protect your environment they, don't want to
let the bad guys in, but they also have an alarm systems to make sure bad guys don't
get in and the good guys don't detect that they are there.

So, let's tie all this together and we will look at cyber terrorism. Again, the termed as
cyber, hyperbolic, overused but it is part of what this is all about because these
essentially points out that the activities are old stuff in a new way and terrorists have
also adopted this in a massive way.
So, let's look at a case study sample here. It's June the 3rd, Friday 2017, and it's ten
o'clock in the evening and in London city people are enjoying after a hard week work a
meal a couple of drinks and so on. All of a sudden, these guys pull up in a white Renault
van and they jump out with fake bomb vests on and machetes and start chopping
people up. They kill eight people, injured forty-eight
My point that I want to focus in, is of this individual called Rachid Redoune. Rashid was
also part of the cybercriminal network; he was involved in invoice fraud and he worked
in the cell actually out of Ireland and this is how they financed and communicated and
used an awful lot of activity. And this mirrors the overall approach that was taken by
ISIS in order to communicate, in order to build different cells and techniques around
the world, in order to radicalize people and so on and even for lone wolf attacks was to
use this.
So, we can see that this isn't just about somebody really clever breaking into a bank
and stealing money and almost with a Robin Hood effect. This is about evil being
connected and being able to carry these things out. So if you are defending your
organization against people stealing data you’re effectively stopping people who are
trafficking children, who are selling organs, who were selling endangered species of
animals, who are blowing up human beings, you are defeating evil by effectively
managing cyber security risk within an environment.
So, at that point I conclude with our key lesson - your adversary is highly organized and
effective; the cyber bad guys network, they collaborate and assist each other. Their
global ecosystem supports a trillion-dollar underground economy, so this is real. And
this is just our background to the reason why it's so important for all of us to
understand how to develop cyber risk management techniques and tools in order to
protect not just ourselves and our organizations but society itself.
MODULE 1 CASE STUDY– TRANSCRIPT

Hello, and you're welcome to this case study, DNC Email Hack. My name is Paul
Dwyer. I'm your head tutor, and I'm going to walk you through the DNC Email Hack
and explore what lessons can be learned. In this case study, it occurs in the context of
the 2016 US elections. And we look at some of the activity that occurred around
hacking some of the email accounts and the attempted hacking of the email accounts
around the Democratic National Committee in the US. Many refer to this as a change
in the course of history. But I'll let you decide that when we've gone through the
material, we can review on the impact that may have had on the world politics.
To begin, let us put some of the characters into context. We have Hillary Clinton.
Hillary Clinton is a want to be 2016 presidential candidate. And you can think of Hillary
as being essentially the CEO of a business when it comes to this because winning an
election, running a presidential campaign is a business. And for that purpose, she had
hired John Podesta, 66-year-old who had vast experience in not alone the politics of
the United States, but in running such campaigns and in working with Hillary's
husband, Bill. He was hired as chief of staff, AKA the COO or Chief Operating Officer
in January 2015. The campaign itself relied on thousands and thousands of staff. The
staff were some of them were highly experienced. A lot of them were interns. Some of
them were suppliers and they were broken up of a different number of fundraising
committees and so on. There was an elaborate complex ecosystem of entities involved
behind the Democratic presidential campaign for 2016.

There were only four people in the IT team that was running this multimillion-dollar
enterprise. And what was most surprising is that there was nobody in charge of IT
security. These are the characters in play. These are the key people involved in what
we're going to outline.
Let's go to the 15th of March 2016. The DNC campaign was feeling the pressure.
Hillary had just won by the narrowest of margins against Bernie Sanders in Missouri.
That was at a 0.02% margin. And we need to remember that during these campaigns
that they're not initially going against their opposition parties, they're fighting to see
who's going to be nominated by their own party. Secrecy of information is really, really
important because essentially your colleague may get the jump on you and be able to
ask you awkward questions in debates, may be able to bring out those salient points or
positive points ahead of you.

Confidentiality is very, very important internally within the structure of the
organization themselves, the DNC, but also of course, against the others. And on the
other side of that, which would be the course of this case, would be the Republicans
and the Trump factor, because it was seen at this stage that Donald Trump was
probably going to be the Republican candidate. And Hillary and the DNC were
certainly feeling the pressure by mid-March.
Then on the 19th of March, an email was received, and it was received into John
Podesta's email. John Podesta, again, you've got to think of John as being the number
two, the COO, the chief operating officer who was running everything the day to day
operations of the business. And this started off almost like a bobsleigh. This started up
all the activity that we're going to talk about.
This email came in and it looked like it was from Google and it said the following,
"Someone has your password.

Hi, John, someone just used your password to try to sign into your Google account,"
The details and the IP address and that IP address is of a telco in the Ukraine. It was
obviously very suspicious and there was a link there saying, "Click on this to change
your password." Now, that is essentially a phishing email. The from email address look
fairly legitimate. The layout of the email looked legitimate. But this isn't hacking, this is
a phishing email. This is an email received in trying to dupe somebody, trying to fool
somebody into doing something. And in this case, obviously what they wanted the
recipient to do, John Podesta email, who was the targeted recipient, was to click on
change password. Now, one thing to note at this point is that there was actually at least
three people had the credentials to John's email account. These were his staff and they
were able to access his email and send on behalf of him from that email account.
Well, let's talk very quickly about email itself. We often refer to email as being the
cockroach of the internet, because we can almost see a generational divide here about
the sort of tools that are used and the apps that are used for communication between
different generations. But still email just survives despite the fact that technically it
really should be gone. There's no encryption, it's difficult to verify senders ID.
Repudiation of knowing who you're dealing with is very, very difficult. It's easily to be
tapped, or somebody to circumvent your information and to be able to read the
information because it's essentially not secure. And it's hard to know if a message has
been received or read, it's difficult.

For all these reasons, it really should be gone, but it's not. And it's used every single
day, I'd say, by all of us in business. And it's also used by bad guys as an attack vector,
primarily because it is the one piece that can bring everything down because when we
think of it, all of our different accounts, generally we use an email account to reset the
passwords. And if you can compromise that email account, that single piece, you can
normally gain access to everything. And that's often a tactic used by the bad guys is
what they want to do is compromise that personal email account. Whether it's a Yahoo
account, a Gmail account, or some sort of personal email account that somebody has
that they use for resetting the passwords, because if they get that that's the Holy Grail,
they then can start resetting all the passwords of everything else, Twitter accounts and
so on.
This email was received and Sara Latham at 9:29 that morning forwarded to her IT
support colleague who was Charles Delavan because she thought it was suspicious.
And she just forwarded on to see what Charles, who was more expert in this area
would revert with some advice and he did, but unfortunately, he was not very careful
when he was typing his response.
His response was,
"Sara, this is a legitimate email. John needs to change his password immediately and ensure
that two factor authentications is turned on in this account."
All this happened within 30 minutes of the email. He was quite responsive. He got
back; he sent the correct link on how to do that. But unfortunately, as he claimed after
that, he mistyped and he meant to say that this is an illegitimate email, not a legitimate
email.
He wasn't careful on the integrity of the texts that he was sending with the advice. But
let's look at this. Something he didn't spot was that the text in the subject of the email
is not, that you can see the characters are a little bit different because what's been
done here is a technique that bad guys often do to circumvent, ending up in a spam
filter, where they use different kinds of characters to look like letters, this Unicode,
characters, you don't need to understand too much technically about it. But it is
essentially about to the eye, that looks like someone S-O-M-E-O-N-E, but actually
there are different sort of Cyrillic characters and so on in there that with a quick glance
looks like the right word, but it's not and the computer, just interpreted and displays it
in that way. And that becomes very important as we go on to understand.
Also, what gave them confidence, I suppose when they were looking at these things
that it was also verified by DKIM. And well, DKIM is an authentication system. We'll
talk a little bit about it in a second, but it's often used to prevent email spoofing. For
example, Google themselves would use DKIM to stop people spoofing and pretending
that they are from Google when they're sending out emails. The problem with this is
that it doesn't always work. It depends on how it's been configured and the different
parties and so on that are in there. I think for the purpose of this, what you really need
to understand is that the Domain Keys Identified Mail is an email authentication
method designed to detect forged sender addresses in emails. It's a technique called
email spoofing that's used in phishing and email spam. These are safeguards, but they
are not fool proof, as we see in this case.
Let's look further into the anatomy of this email. You remember that link that was in
the original email that Sara received, and it said, "Change your password." That email
was being sent to John; Sara opened it and there was a nice button there saying,
"Change your password." Well, behind that button was a link, and this is the link. And it
used a service called Bitly – B-I-T-L-Y. Bitly is one of these services where you can use
it to shorten a link from a very long set of characters into something much shorter. And
it was being used to do that. But when we actually zone in on that, we see that the
actual link was to a domain ending in “.TK”
Now, I don't think Google would be sending people legitimate password reset emails
from Tokelau, which is a territory of New Zealand in the South Pacific, a small island.
That straight away to somebody who's analysing it, a security professional or an IT
professional, could see that this is a bogus email. This is from an illegitimate source and
it actually shouldn't be carried out. It's one thing pretending to be another. And what's
really interesting, when we run the stats across the Bitly account that was used to
create these links, we can see the wholesale attack that was going on against Hillary
Rodham Clinton. We see that there was actually 3,900 associated people that were
being targeted using over 19,000 different links between October 2015 and May
2016. That's vast, so you can see this was an orchestrated campaign, absolutely
massive orchestrated campaign, and targeting anybody that had anything to do with
the target.

The target is Hillary Clinton and the DNC, and anybody who had anything to do with
that, suppliers, employees, ex-employees, professional advisors. Everybody was fair
game for this attack group that were going after them. And you could see the scale and
the vastness of it that was being used.
Now, Charles had suggested to use two-factor authentication. What exactly is that?
We often refer to it as 2FA or two-factor authentication, or TOTP, which is “Timed
One-Time Password.” And there's generally two variants of this. There's a variant
where you have an app on your phone and it creates a unique code, and you can use
that code with your password to go in. You're using two factors, your password, and
this code in order to gain access to whatever the resource is. Google Authenticator is
probably one of the most well-known ones that people can use with their Gmail
account. And it adds a layer of security because every 30 seconds the password
changes or the number changes, the code that you use to go in. And there's another
version which can be done over texting, which isn't that secure, because texting can be
spoofed. The identity of the sender can be spoofed.

We find that the apps are somewhat more secure. Depending on how they're
configured, they're somewhat more secure than using the SMS version of that. The
idea here is that if somebody has your password, it's not enough to gain access to your
system. They also need to use this unique code that changes every 30 seconds. What
you should be aware of is, it's not fool proof. And also, that, that code, although it says
it changes every 30 seconds because there's different timings between servers, that
window is actually 90 seconds because the seed stays alive for the previous 30
seconds and the 30 seconds afterwards. When you have a code, you can essentially
potentially use it for a minute and a half, which is a vast and huge amount of time for a
hacker to be able to gain access to a system. If they get their hands on your password
and they get their hands on this code, they still have a window of opportunity to access
your system.
Let's look at phishing a little bit more in detail. This email was an attack technique
known as phishing. There are many forms of phishing, but if we look at what phishing is
in its raw state it's these spoofed emails that we're sending out when people are
pretending to be something. And I think it's important to realize the difference
between, phishing is not itself hacking.
Phishing is the fraudulent practice of sending emails purporting to be from reputable

companies in order to induce individuals to reveal personal information.
That can be used as part of it. Some would refer to it as a hacking technique. It's part of
an overall campaign, if you like, it's part of the process of hacking, but receiving the
email itself, the phishing email, is not necessarily the act of hacking. The computer
hasn't been hacked. It has simply received an email.

Smishing is that kind of activity but using SMS text messages on phones. Smishing is
the fraudulent practice of sending text messages to do the same thing. And we've got
different classes of phishing. We have mass scale phishing, which is when they send it
out pretty much a shotgun attack where they're just sending it out, hoping that it will
stick. And this is a numbers game. They send these things out in the millions hoping
that people will fall for it. They only need a very tiny percentage to fall for these emails
in order to be successful at what they're trying to do.
We also have spear phishing. That's tailored a specific victim or a group of victims using
personal details. For example, if somebody knows something about the target that
they can use in that email, that might make them psychologically more prone to click
on the link in the email. For example if she knows the name of their dog, knows the
name of their boss, knows the name of the area where they live, those kinds of pieces
of information can be used in an email, in the text of the email, to try and get somebody
to trust the email more and to click on it.

And then we have a technique known as whaling. And whaling is a specialist type of
spear phishing. The targets, the whales, essentially, which is the big victims within a
company i.e. the CEO or the CFO. And generally, we see those kinds of whaling
techniques going after either the Chief Information Security officer, the Chief
Executive or the Chief Financial Officer, those kinds of people, and they will be very
specific. They'll take the time. This is not a mass email kind of thing. This is a very, very
tailored, and focused surgical kind of email that'll be used to carry that out.

Let's look at phishing emails by numbers to get an idea of the impact. Well, there's
actually over 4,000 phishing kits available on the darknet. What's a phishing kit? A
phishing kit is if I decided I wanted to become a cyber-criminal, and I want to invest in
the crime ware and the tools that I need to create phishing emails, pretending to be a
bank or pretending to be a certain entity, I can buy a choice of 4,000 different phishing
kits. And these are the tools that would create these things for me, create the emails,
track them, everything else like that. Think of them as the marketing pieces of software
that allow them to do this really, really quickly, really effectively in different languages,
different verbiage, different techniques, and coding within those emails to let them get
past the spam filters and get past the security controls that are put in place.
Generally speaking, the hit rate on these kinds of things is about 0.05%. There are 3.4
billion emails, phishing emails, sent a day. That's eye watering, and it's probably
growing since we've looked at the statistics here. About 10% of those get through.
Only one in 10, actually get through the filters. 50% of those are opened that get
through the filters. 10% are clicked upon. And that relates to 17,000,000 credentials
being phished a day. It's an absolutely massive number. We're looking at nearly
2,000,000,000 credentials hacked a year through these techniques. The reason the
guys do it is because it works, and this is probably the number one way that bad guys
try to circumvent your systems is through phishing emails. And that's why educating
staff, getting them to become cyber savvy in relation to the techniques these people
use to carry a smishing attacks, phishing, whaling, all of these kind of things is so
important in an organization because this is what lets people down. Around 90% of
breaches start off with a phishing attack.

But now, if we look at the more advanced threat actors that we might think about from
who may have been involved in the DNC hack. We can look at what we referred to
before as APT groups, Advanced Persistent Threats. I'm going to reference to two
groups here. One is referred to as Fancy Bear and the other is Cozy Bear. I joke not.
This is the true names of these groups. And these are two specifically Russian origin
threat groups, state sponsored, known as APT-28 and APT-29, the code names. As you
actually research more and learn more about how these threat groups work, you'll see
that these groups are highly organized. For example, these two groups are part of the
GRU, which is the intelligence unit of Russia.
And we can see that those groups were the same groups that were involved in even
and were caught red handed, so to speak, hacking the World Anti-Doping Agency. This
is real. This is what goes on in the everyday world. These military units, if you like,
these state backed and condoned units are out there hacking, and we've seen more
and more in the media, and more and more on a geopolitical response, that countries
are trying to extradite them, get them arrested, which is an absolute paradigm shift
and approach on how these things are done, because it's essentially trying to arrest a
soldier in another country. And we’ve got to remember what the motivations are with
a lot of these people who are members of these groups, it's national pride. These
people are hacking for their country. This is equivalent of being in the Olympics, that
they're representing their country when they're doing this. Their motivation isn't
necessarily money, but it's often national pride and a sense of their duty to what
they're doing for their country.

Now let's go back to the DNC hack and we're up to May 2016, and don't forget the
elections are around November, so we're on a path up to this. There's Julian Assange,
the founder of WikiLeaks. And let's see and explore how he and WikiLeaks may have
been involved in this whole area. For the previous six months, the FBI had been giving
warnings to the DNC to say, "Look, you're being targeted by these groups." The top-
level intelligence feeds around the world were being used obviously by the likes of the
FBI and so on. And they were picking up on this kind of activity that was going on, and
they were warning them that they were under attack.
Video Reference (00;20:20):
Now, this is very similar to the warnings that everyday businesses get as well about
that these hacks are happening. And sometimes people take heed and sometimes they
don't, but this is intelligence. And good intelligence is actionable intelligence. That is
information that you can do something with. That's good intelligence. If it's just noise,
you want to avoid it because that can make people extremely busy, but not very
productive in what they're doing. What I am saying, we'll learn more as we go through
is that you want to source your intelligence from credible sources, because intelligence
should be something that you can react to, that you can work with, and that can make a
difference to what you're doing in every day.

It's mid-May and the DNC has opted to use Signal instead of email. Now that's really
interesting. Signal is an app that is much more secure than email because it has
encryption and so on, and the senders and receivers are verified by their mobile
phones and so on. It's mid-May and the DNC has started to take action. They've said to
all the key staff that all communication, especially in relation to Donald Trump has to
go over Signal app and not email, do not use email.

By June, the 10th, all laptops, are now handed over to a specialist company to be
examined forensically. Obviously, by this period of time, there's a real suspicion that
something has happened. The hack has occurred, somebody has access to the
information and they're getting really, really concerned. By June, the 12th, Julian
Assange started to make announcements. And one of the announcements he made on
a British TV program during an interview, and don't forget he was in exile in an
embassy. And also keep in mind, he absolutely hated Hillary Clinton because of when
he was in his full power, if you like, Hillary was coming after him. He harboured this
grudge as well against her.

And it's often seen as he may be awaiting her on waiting agent of the Russian
government as well in how a lot of these things have played out. But when this was
happening, he'd been in exile in a small room in the embassy in London. And he was still
doing interviews over video and so on with TV programs and everything else. And he
came out, got involved in the politics of this and said, "Hey, I'm going to have some
leaks coming out very shortly." He was marking everybody's card at this stage that
something is about to happen. By June 14th, the DNC announced that they had been
hacked. The chair of the DNC, Debbie Wasserman Schultz, had to resign. Now we're
starting to see an impact of what's happening here from these hacks, and what's going
on.
On June the 15th, a character known as Guccifer 2.0, and I say a character because
often what you'll see in the world of cyber threats and cyber risks is these character
names come out of these handles that describe a particular hacker. And Guccifer, the
original Guccifer was somebody who claimed that he had hacked Hillary before, he was
a Romanian hacker, but this version of Guccifer came out and really we're not sure
whether this was an individual or this was a group of people pretending, but what all
the evidence points to because of the use of Cyrillic keyboards, because of their
version of Microsoft Office they used, because of the fact that when on chats online,
this Guccifer 2.0, character, couldn't even speak Romanian. And we know that Guccifer
was Romanian.

My point here is that people will often hide behind a cloak, a different name, a different
country, a different hacker agenda, and they may get involved in different hack groups
to carry out whatever they want. What we strongly suspect that this Guccifer 2.0
entity was nothing more than APT-28 and APT-29, which are the intelligence units of
the GRU, the Russians who were involved in this. In July 22nd, 22,000 documents were
now released, these emails and so on from the DNC.

This is where we go from just being, if you like, somebody hacking someone's email
account into effectively information warfare. Now we're going from the criminality of
hacking into the control of politics. And we see here a screenshot from WikiLeaks
website where they actually indexed and put up a search engine around all of the
emails from John Podesta. You could search them by topic, you could search for
anything you wanted within those, doing their utmost, obviously to embarrass and
share this kind of information and to those that wants to listen.
Now we're right up to the cusp of the November elections we're into October. And
there's a period of politics in the US known as the October Surprise which basically
started after Nixon and Kissinger where just before the election each side would bring
out potentially embarrassing information on each other. Let's have a look at what
happened in October, just before the 2016 elections. And what we're really going to
focus on here are some of the issues around potentially fake news on the impact that
may have had on the elections, on the outcomes and what was going on.
From fake news, we're looking at the different conspiracy theories that were going out
there. The different fake narratives that were being put up, the different resources
that were being used through social media and so on to actually convince people of
what was going on. Let's walk through October.
• October the 7th, it's 2016 and the Director of National Intelligence that is
effectively the NSA, the CIA and FBI put out a statement accusing the Russians
of hacking the DNC. They're obviously pretty certain that there's Russian entity
behind these attacks and they know that with a lot of detail, forensic detail,
technical fingerprints, what we often call indicators of compromise, the
different details have been picked up, the different techniques that are used or
often tracked, in that regards.
• The same day at four o'clock, the Trump video, that famous Trump video or the
Access Hollywood Tape as it is referred to where Trump was coming out and
talking about sexually harassing women and so on was leaked.
We can see the game is starting to play. That obviously wasn't the Republican
put that out, that obviously wasn't the Russian put that out. But somebody
leaked out that tape at that particular time, obviously somebody who was pro
Democrat at that stage.
• October the 7th, one hour later, WikiLeaks responded by releasing 170
documents and 2,000 more emails. This tit-for-tat started, they were holding
the good stuff back until now, if you like.
An organization known as the Internet Research Agency also known as the IRA, and
they have a couple of other nicknames such as Glavset, they're also known as the Trolls
from Olgino, commence their aggressive campaign. Who are these guys?
These guys are effectively an unlined propaganda PSYOPs, Psychological Operations

marketing department. They're based in Russia. And they set up social media accounts,
thousands of them around the world to change the narrative of how people feel about
things. What they will do for example, is that they will pretend to be American citizens
and start posting things pro one candidate, anti another candidate and so on. And we
saw an awful lot of activity happening around this time. And we're talking about
thousands of full-time staff, whose job was simply to set up fake Twitter accounts, set
up fake Facebook accounts and so on, and started carrying out this kind of activity.
• October the 12th, it's 8:31, and WikiLeaks made a phone call to Donald Trump
Jr. And within 15 minutes of that, Trump was tweeting about the Podesta
emails and WikiLeaks because we saw more content coming out.

Now, interestingly, a short period of time after this, and there's been no official
connection between the what I'm about to tell you and the activity up until this point.
But the Mirai Botnet, this is a massive, massive network of infected internet-of-things
devices, took down the entire internet on the East Coast of the United States on
October the 21st. Let me explain a little about what that looked like. Up until this
period of time, there was probably a set rate of the size of DDoS attacks, Distributed
Denial-of-Service attacks, how they were targeted, the size of them and so on

How many infected devices may be involved and so on. However, with this, this was
unusual because this was absolutely massive. It was one terabyte per second. That was
1.2 terabytes per second that was coming down. That's absolutely huge amount of
traffic being pumped out at a single point of failure that they had identified within the
network infrastructure of the United States. There were 300,000 devices within this
army. They were being called up and being used. And what was really unusual about
this, as well was that most of these devices involved in this are what we call IOT
devices. That is to say these kinds of devices that we switch on, put on the internet to
make it easier. It could be anything from a CCTV camera, to a weighing scale, to a
kettle, to a doorbell, to whatever. And these things were all being controlled because
they're one of the biggest risk factors on the internet at the moment because
effectively they are not secure themselves.
Here we can see a heat map of exactly the parts of the ends that were taken down. If I
switched back quickly, we see that the sites that were impacted were Twitter, the BBC,
CNN, The Boston Globe, DirecTV, Fox News, New York Times, Netflix, all the
communication organizations were knocked off the air. There was a group called New
World Hackers claimed responsibility and we could see that absolutely massive
impact. On the graphic on the right is the amount of ISPs and the amount of infections
within those that were being carried on. At this point, WikiLeaks came out with a
statement and said, "Mr. Assange is still alive and a WikiLeaks is still publishing. We ask
the supporters to stop taking down the US internet. You proved your point."

You can see the sub diffusion and politics that was going on here, the hidden messaging
to get, if you like, commands over to each other. And we saw this directly even from
Donald Trump where he would call out to WikiLeaks and he would call out within press
conferences to people. All of this is going round in plain sight as well as what's going on
behind the scenes.
I mentioned the internet-of-things and the IOT devices, and this is effectively, these
are the top selling IOT devices. Everything from light bulbs that you can contact from
the internet to turn them on, to turn them off, you've got doorbells, you've got Alexa,
you've got all of these kinds of different devices. And the reality is that we buy these
things, we bring them home and put them in our offices, put them in our homes and
there is little to no security built within them. And therefore, if a hacker can gain
control of that, he can gain control of the device and uses bandwidth as part of an
attack. And that's exactly what we saw with the 300,000 devices that were used in
those massive myriad pertinent attacks that went on.

Something to understand about this as well is that these devices that sit out on the
internet, you bring back your latest smart TV, you put it onto your Wi-Fi network at
home or whatever your favourite IOT device is, and if it's not secured and it's not in a
secure environment, very quickly, it will get indexed by a search engine such as
Shodan. And what Shodan is, it's the equivalent of Google, but it's for devices. It's for
anything on the internet that is really not being indexed, if you like, by Google. These
are devices like printers, industrial control systems, traffic lights, even databases and
servers, and all the different kinds of devices. Because if it has an IP address, it's
speaking on the internet. And if it has an IP address, something can talk to it, because
all it's doing from protocol perspective is just trying to have a conversation. And it's
listening there for connection.
What the likes of Shodan does is allow people to search for devices by simply just
typing in a word or typing in a location, whatever. It's fool proof as you to find it. And
what people often see, almost for amusement is, that they can find say for example,
CCTV cameras or nanny cams and they will be set with the default username or the
default password. Very quickly they click on them, they put in username “admin,”
password “admin,” and they log into the device. What I have here is a sample screen
that the day after the British Airways got a quarter of a billion Euro fine for their GDPR
breach and they also in the same day lost a quarter of a billion in their share price, I
typed in the word British Airways into Shodan to seek could I find any device. And
what I found was a server advertising itself as being available as their FTP server.

And if you can see, I have all the details here. Now that is not the skills of a hacker, that
is just somebody just typing British Airways into one of these hacking online if you like
hacking your research tools to find information. But obviously if somebody had a
nefarious intention and they want to do something, they can use this information to
get themselves to the next stage of the hack potentially.
Now let's revert back quickly to the DNC cyber hack itself. Glen Caplin came onto the
news on MSNBC and he said, "We are not going to confirm the authenticity of stolen
documents released by Julian Assange." In that statement itself, he had confirmed the
documents were stolen, he had confirmed the validity of those documents. And that
was a big school boy error mistake because what he was essentially saying was the
documents that Assange sent out and we found out after a lot of them went being
edited, and a lot being changed and so on like that. But he was basically saying to the
world, "Yes, they are our documents and Assange has them and he is releasing them
through WikiLeaks."
Now we're into the final countdown of the run-up to what happened around the DNC
hack. Podesta's iCloud password was actually in one of his emails and therefore
towards the end of this scenario, they wiped his phone. There you can actually see the
screenshot of them wiping his phone. You can see his Apple ID account of a screenshot
of it there, all of the details.

Now once they had that password, getting back to my point about your email account
being that one piece of the puzzle that can bring everything down, they had his email
account, they were able to start really playing with him. And really, if you like having
fun, they also reset the password in his Twitter account, and they put out a pro Trump
message saying, "I've switched teams, vote for Trump in 2016." And his password was
not very complex, not a very good password. It was “Runner4567.” You can see the
amount of lessons we can start gaining here about the faux pas or the mistakes that
have been made and things that could have prevented an awful lot of this happening.
Essentially by October 28th, Letter to Congress. Comey said that he had “learned of
the existence of the emails that appeared to be pertinent to the investigation” into
previous hacking allegations and so on. At this point, the game is over for the
Democrats. They've lost all credibility. They were already getting over the mud that
was slung over a previous situation where Hillary Clinton’s server where she used a
personal email server and for official emails, there was again, no evidence of that being
hacked, but all of this was just perception is reality and people the term email, the term
hacking, the credibility factor, everything had enough of an impact to effectively
change or have an impact on what was going on.
My point here is that the smallest change in a variable on the input can have a massive
variable on the outcome of something. We have to understand that the smallest
controls that we can put in place can have a massive impact on safety. And this is really,
really important when it comes to cybersecurity and risk management, to understand
those things.
Let's have a quick look at 10 key takeaway lessons.
1. Be prepared for phishing. Phishing happens every single day. I've gone through
some of the scary figures there, some of the eye-watering numbers and you can
see they do it because it's successful. There are different kinds of phishing
techniques aimed at different audiences. Therefore make sure that your people
at the right level receive the right kind of training around these kind of phishing
emails and how they work, how they work inside of a commercial environment
and outside of the commercial environment and what they can lead to.
2. Do not rely just on text message authentication. It is much easier to spoof this
and spoof phone passwords, sorry, phone numbers and so on when you're using
this as a technique. It's very important that you don't just rely on that. There's
nothing fool proof. This is all about layered security. This is all about defensive
layers. You need to know a number of things. But if you have a choice, you use
an app for creating your two-factor authentication.
3. Do not send passwords in email at any stage to anybody. You see, that was a big
mistake made by John Podesta and ultimately the most humiliating for him
when they erased his phone, they compromised his Twitter account and so on,
and they took over his identity online.
4. Do not share account credentials. John Podesta had at least three people who
worked for him, who he trusted to log in as him and represent him. When you
think of that, that's three people who themselves could be compromised from a
human element or even just from a technical environment they could be
hacked, and they can circumvent those systems. The risk had been spread by
doing that as well.
5. Do not use email for secure communication. Presume it is public. I cannot

emphasize this enough. The amount of people that still put really sensitive
information into email, email is not secure. You must always presume that at
some stage, email is going to be public. It’s not a secure form of communication,
it's just so easy to get circumvented through different areas and so on like that.
You have to always presume that it is going to be compromised at some stage,
which I know is a bit dramatic, but it is probably the safest way to do it. Use a
secure app or a secure tool or application in order to exchange sensitive
information as well high level of encryption.
6. Someone should be responsible for cyber security. Here we have the DNC
presidential campaign, millions and millions and millions of dollars. Thousands
of people are involved. Only four people with responsibility around running that
entire ecosystem and none of them a cyber security or risk professional, none of
them. Writing was on the wall; it was almost a perfect storm. Something was
going to happen, and it did. And the safeguards were not put in place. The
strategy that they had as a business was to win the election and everything,
they were doing to do that. But what they didn't do was match that with a cyber
risk management strategy to manage the risks around protecting them so that
they could meet their goals and fulfil their vision.
7. Know your enemy, perform a risk assessment. Because when you look back at
this, and hindsight it is 20/20, but when you look back on this of what happened,
you could see so much that could have been prevented and controlled. Because
things will happen, but we need to manage the narrative. We need to manage
the crisis. We need to have the proper playbooks in place, proper incident
response procedures to manage whatever has happened. Breaches will happen.
They will happen. People will be hacked, data will be mislaid, get lost, so on.
These things happen. But it's how you handle those things and be able to
recover from those situations is so important. A lot of these things were
controllable and preventable.
8. Perception is reality. Crisis communications is key. You need to prepare and

use the appropriate people. You need to make sure that crisis communication
has been developed, the playbooks, the narrative, and all of those things to be
put in place to deal with that.
9. Education is a preventative, a detective, and responsive control. And one of

the key things.
Our conclusion, the key lesson. The key lesson is passwords are like underwear –
• You need to make them exotic

• Don't let anyone see them
• Change them regularly
• and definitely use two-factor authentication.
Thank you.
That's the end of our case study.
JARGON BUSTER SECTION
TERM EXPLANATION
1 TB (Terabyte) Storage capacity for approximately 500 hours worth of movies
2FA Two Factor Authentication
(Two factor e.g. 1 TOTP (Timed One Time Password)
Authentication) e.g. 2 Withdrawing of money from an ATM; only with the
correct combination of a bank card (something the user
possesses) and a PIN (something the user knows)
APT Usually the threat actor is a nation state and they engage a
(Advanced prolonged and targeted cyberattack in which the intruder
Persistent Threat) gains access to a network and remains undetected for an
extended period of time
Attack Vector A path or route used by the adversary to gain access to the
target (asset)
Backdoor A means of regaining access to a compromised system by
installing software or configuring existing software to enable
remote access under attacker defined conditions
Bastion A system heavily fortified against attacks
Black hat Hacker A hacker who breaks into a computer system or network with
malicious intent
Botnet A term derived from "robot network;"
A network of private computers infected with malicious
software and controlled as a group without the owners'
knowledge, e.g. to send spam
A large automated and distributed network of previously
compromised computers that can be simultaneously
controlled to launch large-scale attacks such as a denial-of-
service attack on selected victims.
BOTS An automated process or individual devices that are part of an

infected network
Brute Force Attack Repeatedly trying all possible combinations of passwords or
encryption keys until the correct one is found
C2 Compromised servers used by attackers to maintain
(Command communications with compromised systems within a target
and Control) network
Cashiers In the Underground Economy of Cybercrime, the entities that
control drop accounts and provide names and accounts to
other criminals for a fee
TERM EXPLANATION
CISO The senior-level executive within an organisation responsible
(Chief Information for establishing and maintaining the enterprise vision,
Security Officer) strategy, and program to ensure information assets and
technologies are adequately protected.
Clear text Data that is not encrypted
Crimeware A class of malware designed specifically to automate
cybercrime.
Cyberwarfare Actions by a nation-state to penetrate another nation's
computers or networks for the purposes of causing damage or
disruption
Data Exfiltration Unauthorised transfer of data, data extrusion, data
exportation, or data theft
DDoS Attack An attack that involves sending multiple requests to the
attacked web resource‚ with the aim of exceeding the
website's capacity to handle multiple requests and prevent the
website from functioning correctly.
Deep Web The part of the World Wide Web that is not discoverable by
means of standard search engines.
Disgruntled The motivating factor for cyber insiders
Distributors In the Underground Economy of Cybercrime, the entity that
trade and sell stolen data and act as escrows for the goods
provided by other specialists
DKIM An email authentication method designed to detect forged
(Domain Keys sender addresses in emails (email spoofing)
Identified Mail)
Egress Traffic The network traffic that begins inside a network and proceeds
through its routers to a destination somewhere outside of the
network
Encryption The process of converting information or data into a code,
especially to prevent unauthorised access
Fraudsters In the Underground Economy of Cybercrime, the individuals
that create and deploy various social engineering schemes,
such as phishing and spam
Geopolitical As a cyber threat actor group, this is the main motivating
factor for Nation States
Hackers In the Underground Economy of Cybercrime, the individuals
that search for and exploit applications, systems and network
vulnerabilities
Hacktivists Threat actor group most motivated for ideological reasons
TERM EXPLANATION
Hosted System In the Underground Economy of Cybercrime, those that offer
Provider safe hosting "bullet proof hosting" of illicit content servers and
sites
Ingress Traffic The data communications and network traffic originating from
external networks and destined for a node in the host network
IoT Taking all the "Things" in the world and connecting them to the
(Internet-of- Internet
Things)
Money Mules In the Underground Economy of Cybercrime, the individuals
that complete electronic transfers between bank accounts
Organisational In the Underground Economy of Cybercrime, the individuals
Leaders that are often "People Persons" without technical skills, they
often assemble the team and choose the target.
Profit The main motivation for cybercriminals
Programmers In the Underground Economy of Cybercrime, the individuals
who develop the exploits and malware to commit cybercrimes
Proxy A server application or appliance that acts as an intermediary
for requests from clients seeking resources from servers that
provide those resources
Ransomware A specific type of malicious software designed to block access
to a computer system until a sum of money is paid
SCADA A control system architecture comprising computers,
(Supervisory networked data communications and graphical user interfaces
Control and Data (GUI) for high-level process supervisory management, while
Acquisition) also comprising other peripheral devices like programmable
logic controllers (PLC) and discrete proportional-integral-
derivative (PID) controllers to interface with process plant or
machinery.
Smishing The fraudulent practice of sending text messages purporting
to be from reputable companies in order to induce individuals
to reveal personal information
SPAM Irrelevant or unsolicited messages sent over the Internet,
typically to a large number of users, for the purposes of
advertising, phishing, spreading malware, etc
Spear Phishing The practice of sending fraudulent emails purporting to be
from reputable companies in order to induce individuals to
reveal personal information tailored to a specific victim or
group of victims using personal details
TERM EXPLANATION
Tech Experts In the Underground Economy of Cybercrime, the entities that
maintain the criminal enterprise's IT infrastructure, including
servers, encryption technologies, databases and more
Tellers In the Underground Economy of Cybercrime, the entities that
are charged with transferring and laundering illicitly gained
proceeds through digital/crypto currency services and
different world currencies
TLD The highest level in the hierarchical Domain Name System of
(Top Level Domain) the Internet e.g. .com or .ie
VPN This normally uses encryption and extends a private network
(Virtual Private across a public network and enables users to send and receive
Network) data across shared or public networks as if their computing
devices were directly connected to the private network.
White hat hacker An ethical computer hacker, or a computer security expert,
who specialises in penetration testing and in other testing
methodologies that ensures the security of an organisation's
information systems

Module 1 - CASEBOOK

Uploaded by

Copyright:

Available Formats

Module 1 - CASEBOOK

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Module 1 - CASEBOOK

Uploaded by

Copyright:

Available Formats

CCRO Training

This material is comprised of:

• Transcript of Tutorial Video – Page 3

• Transcript of the Case Study Video – Page 55

• Cyber Jargon Buster – Page 83

Video Reference (00:00:00):

Video Reference (00:00:32):

Video Reference (00:01:48):

Video Reference (00:03:10):

Video Reference (00:04:18):

Video Reference (00:05:26):

Video Reference (00:06:51):

Video Reference (00:08:35):

Video Reference (00:09:09):

Video Reference (00:10:08):

Video Reference (00:11:24):

Video Reference (00:11:46):

Video Reference (00:13:15):

Video Reference (00:15:03):

Video Reference (00:15:52):

Video Reference (00:17:30):

Video Reference (00:18:18):

Video Reference (00:18:58):

Video Reference (00:20:07):

Video Reference (00:20:51):

Video Reference (00:21:51):

Video Reference (00:22:36):

Video Reference (00:23:32):

Video Reference (00:23:50):

Video Reference (00:24:25):

Video Reference (00:25:52):

Video Reference (00:26:56):

Video Reference (00:27:26):

Video Reference (00:28:32):

Video Reference (00:29:51):

Video Reference (00:30:58):

Video Reference (00:32:03):

Video Reference (00:33:14):

Video Reference (00:33:34):

Video Reference (00:35:34):

Video Reference (00:36:19):

Video Reference (00:37:06):

Video Reference (00:37:39):

Video Reference (00:38:40):

Video Reference (00:39:50):

Video Reference (00:40:31):

Video Reference (00:41:27):

Video Reference (00:42:10):

Steve Kroft How would you do that?

Steve Kroft How realistic is this?

Video Reference (00:45:41):

Video Reference (00:47:19):

Video Reference (00:47:55):

Video Reference (00:49:34):

Video Reference (00:50:42):

Video Reference (00:52:24):

Video Reference (00:53:49):

Video Reference (00:54:36):

Video Reference (00:55:35):

Video Reference (00:57:10):