Know Your Adversary™

Know Your Adversary™ is hosted by Nisos, The Managed Intelligence Company. At Nisos we combine diverse intelligence expertise, tools, and technologies to solve complex problems and inform high-stakes security investigations for our clients. In this podcast series, we will show you how organizations can achieve attribution, unmask adversaries, and understand the context of threats against their enterprise. Our stories highlight real-life investigations - some well-known, others until now, not so well known. Our investigative stories revolve around cyber threat intelligence, supply chain risk, disinformation, adversary research and attribution, executive protection, physical security, trust and safety, fraud, and brand protection.

Democratizing Ransomware as a Service with Nisos Intelligence Advisory Paul Malcomb 03/28/2023

Democratizing Ransomware as a Service with Nisos Intelligence Advisory Paul Malcomb In Episode 91 of TheCyber5, we are joined by Paul Malcomb, Intelligence Advisory for Nisos. Paul brings over 15 years of experience from Fortune 500 security teams and the public sector including incident response, threat intelligence, and third-party risk management. In this episode, Paul explains how the ransomware-related ecosystem is evolving and provides insights to some of the newer threats organizations face. Below are the three major takeaways: Ransomware actors no longer need to be end-to-end capable and are now very decentralized: Gone are the days where threat actors have to be masters of all, with the democratization of services, affiliates with little to no technical knowledge can now execute sophisticated cyber attacks. Ransomware operators needed to possess the full scale of technical and non-technical capabilities within an organized criminal group. Initial access brokers, supporting operators, and/or the actual malware developers no longer need to be the same entity. Today, individual attack components are outsourced in order to provide an affiliate with end-to-end solutions filling nearly any unmet need to include but not limited to: payment negotiations, money laundering, infrastructure creation, payment collection, etc. CTI, Red and Blue teams must unite and move faster to adjust to the decentralization: It is becoming more and more critical to fuse CTI teams with their respective Red and Blue team components in order to emulate an organization's most pressing threats. Blue teams sometimes have minutes to detect and remediate a ransomware actor once the initial access is gained. This initial access is often gained through misconfigurations or unpatched vulnerabilities on legacy systems. Similarly, privilege escalation and lateral movement tactics commonly leveraged can also be mimicked enabling Blue team detections to be optimized against a specific adversary. This type of adversary emulation is only possible through the fusion of the three (3) teams (CTI, Red & Blue). Smaller and medium sized businesses (SMBs) have almost no chance to avoid ransomware unless they are using managed services to detect, correlate and respond to events. Managed Intelligence Service providers have experienced personnel, proven processes and the appropriate tools needed to accurately scope RaaS-related-risks and help guide SMBs through the challenge of hardening their systems focusing on cost effective risk reduction strategies. Living Off the Land attacks make detection harder by an order of magnitude: With the growing percentage of attacks not having any type of signature file or easily identifiable IOCs, timely adversary threat intelligence focused for a specific organization is often the only early warning indicator capable of identifying potentially malicious activity pre-impact. When ransomware attackers use the same commands and tools that are native in an Enterprise environment, attackers become significantly more challenging to detect because it looks like expected or business-as-usual (BAU) traffic. Over 70% of ransomware is now non-malware attacks meaning ransomware groups don’t need to use custom malware that can be detected from a file hash.The new formula requires only initial access then common administration tool know-how and thanks to the democratization of RaaS, now even these components can be purchased and all an Affiliate needs is the desire to attack and the finances to pay the ecosystem to act. /episode/index/show/knowyouradversary/id/26365392

Insider Threat Extortion Attempt of $300,000 Leads to Arrest 02/22/2023

Insider Threat Extortion Attempt of $300,000 Leads to Arrest In Episode 11 of Know Your Adversary®, we chat with an undisclosed security team that prevented an insider threat actor from extorting $300,000 from a global company. The result of the six months long investigation resulted in the arrest of the suspect who, as it turns out, was motivated by pride and money. One morning, the security team received an email asking for $300,000 as an extortion payment or the data would be released. Upon showing “proof of life” that the attacker possessed the data, it became clear they maintained elevated access beyond that of someone living abroad in Russia, as is typical of extortion attempts. Thankfully, the global company had a robust security program that allowed them to jump into high gear and track down the actor within weeks. While many think about grandiose espionage examples like former Soviet spies Aldridge Aimes and Robert Hanssen, in the private sector, two common themes are observed with insider threats when malicious acts go beyond negligence and into malfeasance: greed and ego. This case was no different and drives home important practices for an insider threat program. Including: Robust Open Source Intelligence Capability: Looking outside-in, your team should have the ability to collect important data that matches internal telemetry. This means having collection against social media and telemetry that can alert to sensitive data leaks with third party file sharing services (Dropbox, OneDrive, etc). Logging: It’s important to have inventory logs from the applications that are of most important business use. When sensitive data is leaked to the internet, a security team will almost certainly start looking at the logging from the applications where the leak originated. Security Awareness Program: Building trust within the employee base to allow them to become their own sensor network with the security team always helps an insider threat program. Forensics Capability: Quick forensics capabilities will almost always be needed when an alert fires from an insider data leak. Check out the latest episode to learn how all of these functions worked in almost perfect unison when the insider threat started the extortion attempt. /episode/index/show/knowyouradversary/id/26010165

Compare and Contrast Saudi Aramco and Colonial Pipeline Cyber Attacks 05/31/2022

OneSight Backstage Management System: Attributing a Chinese Marketing Firm’s Tools to Disinformation Campaigns 05/04/2022

OneSight Backstage Management System: Attributing a Chinese Marketing Firm’s Tools to Disinformation Campaigns In Episode 9 of Know Your Adversary™, Nisos researcher Zeshan Aziz revealed that Chinese commercial marketing firm OneSight, developed a sophisticated social media management and monitoring system called OneSight Backstage Management System to propagate political disinformation against the Uyghur community. The research indicates the Chinese Communist Party (CCP) likely conducted the campaign. Previous research into a breach of OneSight identified sophisticated social media surveillance tooling was used for widespread disinformation campaigns across many prominent Chinese and U.S. social media platforms. These campaigns targeted political topics, including Uyghur dissidents and anti-COVID19 messaging. While OneSight won legitimate contracts with the Chinese Communist Party to market Chinese state media, OneSight also used fake social media accounts to promote false narratives intended to create negative sentiment against U.S. policies. Primary Nisos Process and Tools to Combat Disinformation: Narrative: Identify the propagated primary messages. Accounts and Content: Find the platform's activity and roll back the accounts. Platforms and Outlets: Determine how widespread the messaging is on other platforms. Attribution: Attribute the sponsor backing the disinformation campaign through technical signature analysis. Major Takeaways from the Investigation: OneSight regularly advertises its Chinese commercial clients but does not disclose working directly with the CCP. However, research into the Chinese government procurement databases (the equivalent of the United States’ FedBizOps) indicates that OneSight regularly works with the CCP. Besides anti-Uyghur messaging, other narratives favoring the Chinese state included positive messaging about Carrie Lam, a Hong Kong politician seen as a close ally to the CCP. CCP Unmasked claimed to have stolen internal documents from Knowlesys, a company based in Hong Kong and GuangDong, Yunrun Big Data Service, a company based in Guangzhou, and OneSight, based in Beijing. Nisos researchers reviewed the data from the OneSight compromise. In a YouTube video, they discovered a proprietary tool called OneSight Backstage Management System: a portal for storing and correlating persona accounts, the messaging used for those accounts, and the platform used for propagation. Violations of Foreign Agents Registration Act (FARA) have been an effective near-term way to combat individuals and organizations pedaling foreign disinformation. Its purpose is to allow the U.S. government and the general public to be informed of the identities of individuals representing the interests of foreign governments or entities. /episode/index/show/knowyouradversary/id/23002088