Excerpts from September 14, 2021, FBI Briefing and Panel Discussion.
Organizer: Fortress Security Risk Management
FBI Representative:
Bryan P. Smith: Section Chief, FBI Cyber Criminal Section
Full Webinar Replay Link: https://fortresssrm.com/webinar-cybersecurity-lessons-for-business-leaders/
Part 1: FBI Briefing
Bryan P. Smith oversees all of the cyber-criminal matters that the FBI is investigating. 19 years with the FBI. Prior to the Bureau, 7 years with Accenture and Deloitte & Touche in systems and business consulting.
Not just an IT problem, a business problem
This is not an IT problem. It’s bigger than that. It’s a business problem.
I think the reason that we’re in the position that we are right now, where it’s such an egregious problem for any industry out there is because in many ways, we’ve had that separation between IT and the business.
Who are the bad guys?
You’ve got Hacktivists who are doing it out of some ideological viewpoint. They don’t like something your company has done. They see it in the news and decide that they’re going to do something to embarrass or destroy the reputation or harm the reputation of your company.
There are cyber financially motivated criminals. These are fraud schemes, identity theft schemes, ransomware schemes, business email compromise schemes, securities fraud, and pump and dump schemes that they’re using cyber activities to support.
And then you have the Nation-States who are using cyber activities to steal secrets from the US Government. But more and more, we’re now seeing those foreign adversaries utilizing Nation-State tools and capabilities to go after US businesses.
Everyone’s a target
The idea that “Well, I’m too small. I’m not a target for these entities,” is wrong.
What I will tell you is that we’ve seen the smallest entities targeted by Nation-State actors. And it may be because of the relationship with the bigger player as a part of the supply chain, it may be because of a unique technology that someone was working on. So, the idea that you’re going to be able to hide on the internet because of your size and have anonymity, that has passed us by these days.
Intrusions
Once they engage in that spear-phishing campaign, that initial intrusion, they gain access to the system, they establish a foothold within your system, and they do their reconnaissance.
They see who’s who in the zoo, who has access to different places, what the relationships are within the entity, and then they conduct another attack on those individuals so they can escalate the privileges and gain further and further access into the system.
Once they get into the system, they may sit there for months or years if they’re a Nation-State actor.
Very often, and we see this within the ransomware environment is that that is the last thing that happens to a victim is actually the ransomware attack. Typically, you have some sort of intrusion in the system, they have a dropper that comes in, they install additional malware, some sort of banking Trojan to take credentials, they may go pull PSTs and other email files, take any sort of Word documents, presentations or sales proposals and things like that.
Ransomware and double extortion
Once they’ve taken everything that they can from your system, that’s the moment that they actually launch the ransomware attack because they got everything that they need within your environment.
When they launch that ransomware attack, they’ll send you an email with the ransom payment that they’re asking for in it, and the trend that we’ve seen within the last year is that the information that they stole from you previously will be used against you – to extort you.
If you say, “You know what, I have backups within my environment, so I can rebuild from those systems.” They will then share with you information that they stole from you that might be embarrassing to you as a leader or to you as an organization, and they’ll threaten to release that out to the public.
And so, it’s a separate type of extortion that they have on you, not just on the system side, but also, based on the data side.
FBI’s Institutional Intelligence
When you do get hit with ransomware, please let us know.
And the sooner you let us know the better, as we have a better chance at possibly recouping funds for you or identifying some of the other activity that’s going on within your system.
Our objective is to help you as much as we can. And so, we will point you in the right direction.
Specialized, deep-seated expertise
We have 56 field offices across the United States with satellite offices within them, called resident agencies.
When we have a certain type of malware that has been identified, we will assign a specific office to own that particular malware or a particular threat group. In that way, you get deep-seated expertise in that malware or that threat actor.
Business benefits
You are able to gain access to the expertise of a team that has been working on a particular malware or group for some time and we provide that information value back to the private sector.
There’s a whole host of skill sets needed to address these actors – the intrusion part and the development of malware, and the money laundering aspect and the conversion of that into value and into a fiat currency – these are not happening by the same individuals.
Specialization of cybercrime services
The second biggest trend we’ve seen is the specialization of services.
They have taken the business model of western commerce over the last 30, 40 years of specialization, and recognize that one person can do the development side of it, they can then have other folks work as affiliates for them, who can then launch the spearphishing campaigns, another entity can handle the financial side of it and the cryptocurrency conversions.
And so, they get best-in-class, world-class capabilities within each of those areas.
So, we’re bringing those same types of commensurate skill sets to address each of those areas. And so, if we don’t have that financial background in a cyber agent or a computer scientist, we’re leveraging our skillset within forensic accountants, or if it’s a cyber securities fraud pump and dump scheme, we’re leveraging the expertise of our securities fraud experts.
That to me is a great lesson for business leaders, is that if you’re continuing to treat this as an IT problem that’s going to be focused on the toolsets and the technology that you’re employing as a defensive mechanism, and if you’re not bringing the same functional expertise to understand what they might be after, you’re going to miss the boat.
Data Privacy and Identity & Access Management
And there’s a lot of people, they talk about layered security within the cyber arena. Layered security is not only just the access points within the system, but it’s also having multiple individuals and entities who are part of the solution.
One example – We’re talking to a chemical company, and asked them, “What is it that’s important to you? What are the crown jewels within your entity?”
The IT folks said, “Oh, it’s the chemical compounds, the formulas that we use to make the chemicals that we then sell to the marketplace.” Alright, that makes sense to me as an accounting major, perfect sense to me, it made perfect sense to the IT folks.
When we went and talked to the business folks, their response was entirely different, “No! Those chemical compounds and formulas are things that any second-year student in college will know. Our competitive advantage is the process we utilize in the production and the proprietary software that we’ve developed internally.”
What they had been protecting – those chemical compounds – were under lock and key, there were three people in the company who could gain access to those chemical compounds, but the source code for their proprietary software was wide open on the network and anyone could gain access to it if they knew where to look for it.
Our recommendation is that you start bringing in the business folks in these conversations with the IT folks. You need to make sure that you’re protecting the crown jewels and you’re devoting your resources to what’s important to you.
Working with the FBI/Intelligence Sharing
The last thing I’ll talk through here is working with the FBI in these types of instances. What we have found over the years is that this problem, much like it is, it’s not an IT problem, but it’s a business problem, is it’s not something that we can solve on our own through law enforcement.
We are requiring and needing more and more cooperation from the private sector because you guys have the information, you guys have the data about the activities, you have the data about the intrusion. These guys make mistakes sometimes. The information that you provide in one instance where someone didn’t mask their IP address, or they made a mistake in the wallet that they utilize, that you provide that back to us, that may help us break that case in some other big matter.
Have a plan in place
What I ask of the private sector is more sharing of information, more reporting of incidents that come out there, and engaging with us early on.
We don’t want to have this be a situation where the first time that you called the FBI, the first time that you reached out to us is after a significant event has happened.
You should have a plan in place, you should know who your local FBI contact is and have an introduction with them. They are very active in getting out in the community and talking to folks about the threats that they’re facing. So that’s a long-term engagement process, which we’re asking for support and commitment from the private sector to do all these things.
Full Webinar Replay Link: https://fortresssrm.com/webinar-cybersecurity-lessons-for-business-leaders/