The Internet has changed the way we live, shop, do business, and how we even socialize. But the Internet is also a very dangerous place, and it’s getting more dangerous as each day passes. What’s it like working as a cyberthreat detection expert whose job is to detect and analyze the latest threats to our connected world? To find out I recently had a chat with Daniel Adamitis the director of intelligence analysis at Prevailion, a cybersecurity company whose team of experts includes former NSA and CIA senior technical leaders and some of the most experienced commercial cyber experts in the world. Danny himself was formerly a security researcher at Cisco’s Talos incident response group, and he currently spends his days investigating targeted attacks and looking for new innovative approaches to better detect and track malicious activity. He posts regularly on the Prevalion blog and also tweets on Twitter: @dadamitis.
MITCH: So Danny, what’s it like these days working in the field of cyberthreat detection/analysis? Must be kind of exciting, eh?
DANNY: Working as a cyberthreat detection analyst is an extremely challenging and rewarding career. The cyberthreat landscape is constantly changing and to adapt you must continually learn about new, or sometimes antiqued, tactics and techniques used by various threat actors. Over time these campaigns have become increasingly sophisticated both in terms of their breadth and the number of tactics used to avoid detection. To truly understand all the campaign, I believe that you need to break down all the individual components of a campaign, that is when I usually have a moment of clarity. Once you have that breakthrough and you discover a new way to track a threat actor and better protect customers, it’s an incredibly rewarding feeling.
The cyberthreat landscape is constantly changing and to adapt you must continually learn about new, or sometimes antiqued, tactics and techniques used by various threat actors.
MITCH: There seem to be lots of new approaches in the area of spearphishing happening these days, and these seem to be getting more and more difficult to guard against and handle. Can you give us some examples? Who is being targeted and how are the exploits tailored towards them?
DANNY: I would roughly divide the phishing attempts up into two distinct clusters. The first cluster would be considered comparatively unsophisticated, as this group of activity relies upon social engineering their victims to impersonate legit business interactions such as a new “invoice” or “inquiry” email. Nevertheless, this sort of activity still poses a significant threat to businesses, once the threat actor has access to your network they could steal intellectual property or they can deploy ransomware. A good example of this would be the MasterMana botnet that we reported upon earlier this year.
The second cluster is more sophisticated and tailored in their approach. An example of an operation from this group would be the campaign we dubbed Operation BlockChain Gang. These sorts of attacks are much more difficult to defend against as they sometimes use compromised email accounts and use more targeted language. In Operation BlockChain, the first email that was sent to the victim was completely benign. Additionally, the threat actor used an email account from a prestigious university and asked applicants to review submissions for a contest held every year. It wasn’t until the victim responded to the attackers that they ultimately sent the victims a malicious link to a waterhole website.
MITCH: What lengths have you seen the actors behind these phishing exploits go to try and gain access into a high-value network?
DANNY: In our latest report, we discussed how the attackers, compromise accounts on a legitimate domain and would then infected web browsers that visited a particular hostname. The waterhole website would then infect the victims’ web browsers using what was at the time a zero-day exploit. If the exploit was effectively executed, it would then deliver a customly modified payload. We assess that the threat actors had a multiplatform toolkit, which would suggest they had agents to infect Windows, Linux, and macOS machines. At the time of detection, all these agents had a very low detection rate and the Windows binary was signed with a legitimate certificate. While I would consider this to be a fringe case, I believe that these threat actors who appear to be financially motivated were displaying highly advanced capabilities that put them on the same level as some nation-state actors.
MITCH: How can at-risk large crypto exchanges, corporations, and other organizations storing sensitive customer information take steps to detect and potentially avoid a breach? What recommendations would you make yourself in this area and why?
DANNY: Several precautions can be taken to decrease the likelihood of a breach and help detect one if it does occur. To help prevent one in the first place, particular from relatively unsophisticated threat actors, we recommend using an email security product, Antivirus and firewalls both host as well as network. To protect against more advanced threats, we recommend consolidating security logs into a central repository, such as a SIEM, and having these logs reviewed by trained security analysts.
MITCH: How can organizations see if their company, or their third-party supply chain, has been compromised? I’ll bet you know of many organizations that have been penetrated and are not even aware of having it happen to them.
DANNY: Determining if one of your third-party suppliers has been compromised is an extremely difficult problem. Companies such as Prevailion are currently working on solutions to help provide compromise intelligence based on proprietary telemetry and algorithms. This provides Prevailion with unique insight into the ongoing campaigns and empowers companies to better understand the threat landscape. This should help inform decision-makers as to the threats currently targeting their vertical, and in Prevailion reports we provide recommendations on how to protect against these sorts of threats. However, before considering any solutions, decision-makers should consider the limitations of products as no one company has omnipotent visibility.
MITCH: What do you think is ahead for us in the cyberthreat detection area for the new year? I’ll bet you’ve got your work cut out for you ahead, right?
DANNY: While I believe that organizations are going to continue to experience traditional threats such as phishing attempts, I believe the biggest threat to large security-conscious organizations is going to come from third-party services and software. In the past year, there have been even more cases of organizations getting compromised via third party services such as DNS hijacking, software update servers, and even companies that provide virtualized environments services.
One particularly alarming trend is that as companies continue to improve their security posture, criminals are now targeting individuals rather than organizations. We have already started to see criminals targeting individuals, particularly cryptocurrency enthusiasts, through SIM swapping. This resulted in a dramatic increase in the number of SIM swapping incidents throughout the year from the United States Department of Justice.
One particularly alarming trend is that as companies continue to improve their security posture, criminals are now targeting individuals rather than organizations.
MITCH: Danny, thank you very much for giving us a glimpse into what cyberthreat detection involves. And thank you for helping us keep our businesses and organizations safe from cybercriminals.
DANNY: You’re welcome.
Featured image: Shutterstock