Jon Boucher – CSOL 580-01-SU17 (Cyber Intelligence)

Module 7 – Final Report

Assumptions: The company profile is as follows: (a) LLC, small business; (b) 20 employees with $15M
in revenues; (c) Defense contractor providing software/systems engineering support services to a US
Navy client in the San Diego area. For this assignment, I’ll assume that I’ll be briefing the CEO, CFO and
CIO (CISO) of this company.

Executive Summary
I. Introduction: We have a problem and I recommend the executive Team act in
addressing it. The problem is a deficiency in our firm’s cybersecurity. Minor
corrections/investments made now could result in significant enhancements to
our Cyber security posture. I respectfully request your involvement extend
beyond just a financial infrastructure investment. I am seeking your strategic “buy
in” to create a culture of cyber security awareness. My goal is to present the
credible, realistic cyber threat and provide some COA(s) that will protect our
company.
II. The Current Cyber Threats: The Cyber threat should be a real concern for our
company. Matt Mansfield’s article “Cyber Security Statistics – Numbers Small
Businesses Need to Know” indicates that small businesses are being targeted by
Cyber criminals. Most Cyber criminals are interested in obtaining Intellectual
Property (IP), customer records and credit/debit card information. Their preferred
method of attack includes Web-based attacks, Phishing/social engineering and
general malware. (Mansfield, 2017):

The Lazarus Group
- Financial Theft
- Spear Phishing/Key-
stroke logger malware
DeputyDog (APT 17)
- Economic Espionage-
- Spear
Phishing/Blackcoffee
malware
Cozy Bear (APT 29)
- Strategic/Political attacks
- Hammertoss/Persistent C2
malware

III. Tools to Mitigate Risk: These tools are relatively easy to implement and
inexpensive.

Cyber Threat Two Factor “Re-boot” our Cyber

Intelligence Software Authentication (Smart Awareness Training
Cards)

IV. Final Thoughts: While the Cyber threats are credible, we have an opportunity to
build an effective Cyber defense. We should implement the tools mentioned
above as soon as possible.
Jon Boucher – CSOL 580-01-SU17 (Cyber Intelligence)
Module 7 – Final Report

Cyber Threat Intelligence Plan

I. Introduction - The purpose of this report is to highlight relevant Cyber threats
to our company and assist company leadership potential cyber threats that
threaten our company. This report is also intended to help Leadership in making
informed decisions in applying resources (people and funding). The three threats
are cyber criminals (financially motivated) and Advanced Persistent Threats
(APT).

II. Company Priorities and our Obligations – The threats identified in this
report all present a threat to our corporate priorities. These actors present
tactical, operational and strategic threats. These threats could not only effect our
company’s “bottom line” they could also negatively affect our fiduciary obligations
to employee/clients. As a certified Defense contractor, we also have a unique
requirement to protect the confidential information of our Government clients
when necessary. The Chinese APT 17 presents a credible threat to our company
intellectual property (IP). See below for our company’s established priorities:

- Priority #1 – Protect the current business operations by providing adequate

cyber threat intelligence.
- Priority #2 – Select a CTI platform that will enable our organization to scale
operations to 40 people.
- Priority #3 – Identify cyber threat platforms that will allow us to achieve our
company’s five-year strategic plan.

III. Methodology and Rationale of selecting these Threats: My

methodology for selecting these threats was based on two criteria. First, I
wanted to select threats that are likely to target our company. Our small business
has unique needs with regards to cyber security; we should choose tactics that
address the most probable attack. Secondly, I wanted to choose threats which
we have the means and resources to defend. I found one article that provided
insight into the most probable attacks our company could face.

IV. The Threats, Actors and Methods:

a. Financially Motivated Cyber Criminals –This group seeks money and

primarily uses Cyber tools like ransomware to accomplish their attack.
This actor is most likely a criminal with no affiliation with our company;
however, in some cases this person could be an insider. Insiders consist
of disgruntled works and their motivation is usually based on some
perceived wrong (e.g.: termination, passed over for promotion, etc)
(Bosworth, 2015)
Jon Boucher – CSOL 580-01-SU17 (Cyber Intelligence)
Module 7 – Final Report

i. The Lazarus Group - “A cyber espionage and sabotage group

responsible for a series of regular and devastating attacks, and
known for attacking manufacturing companies, media and financial
institutions in at least 18 countries around the world since 2009.”
(Kaspersky Lab, 2017).
b. Advanced Persistent Threats (APT) – APT(s) represent the most
sophisticated, advanced threat. They are often perpetrated by determined,
adversarial nation states committed to compromising our most cherished
state secrets. “Historically, APT attacks have been created by
sophisticated hackers using advanced attack techniques and blended-
threat malware. But now, we’re starting to see smarter, every day malware
criminals speed up the evolution of APTs and make small and mid-sized
organizations even bigger targets” (Nachreiner, 2013).
i. Cozy Bear (APT 29) – Suspected to be Russian FSB - Cozy
Bear, classified as advanced persistent threat APT29, is
a Russian hacker group believed to be associated with Russian
intelligence. Cybersecurity firm Crowd Strike has suggested that it
may be associated with either the Russian Federal Security
Service (FSB) or Foreign Intelligence Service (SVR).[2] (Wikipedia
–[Cozy Bear], 2017)
ii. DeputyDog (APT 17) – Suspected to be linked to Chinese
People’s Liberation Army - DeputyDog demonstrates the
increasing use of public websites to hide attacks in plain sight. It
loads malicious software directly into a computer's memory in a
way that bypasses the hard drive, making it more difficult for
companies to use traditional forensic and scanning techniques to
identify compromised computers. (FireEye, 2017). The
development of the “Blackcoffee” malware has been attributed to
DeputyDog. "Blackcoffee's functionality includes uploading and
downloading files; creating a reverse shell; enumerating files and
processes; renaming, moving, and deleting files; terminating
processes; and expanding its functionality by adding new backdoor
commands.” (Stevenson, 2015)

V. Risk Reduction Details

Jon Boucher – CSOL 580-01-SU17 (Cyber Intelligence)
Module 7 – Final Report

Threat: The Lazarus Group

Risk Reduction Solution: Implement Two
Factor Authentication

Specific – Smartcard tokens

Measureable – We can establish a baseline
and collect metrics
Achievable – Yes, minimal cost
Realistic – Yes
Timely – Estimated minimum four-week
implementation period

Threat: Cozy Bear (APT 29)

Risk Reduction Solution: Soltra Edge

Specific – Reputable product

Measureable – Build a baseline
Achievable – 90-day free trial makes this an
attractive option
Realistic – Yes
Timely – Estimated minimum two-week
implementation period

Additional Risk Reduction

tactics/strategies:
Threat: DeputyDog (APT 17)
Risk Reduction Solution: “Re-boot” Cyber
Awareness Training
Specific – Build an appropriate curriculum
or contract service
Measureable – We can track metrics
before and after the training (ie: phishing
attacks)
Achievable – Absolutely
Realistic – Yes
Timely – Yes, we will need a couple of
months to review strategy and build
curriculum

VI. The Cyber Kill Chain and Risk Mitigation Tools:

Jon Boucher – CSOL 580-01-SU17 (Cyber Intelligence)
Module 7 – Final Report

a. Soltra Edge – Cyber Threat Intelligence Software - Soltra Edge leverages

the open industry standards of STIX (Structured Threat Information
eXpression) and TAXII (Trusted Automated eXchange of Indicator
Information) to collect threat intelligence from various sources and convert
it into the industry-standard language, revealing information that helps
firms make decisions on what actions they need to take to help users
better protect their organizations against cyber threats. (Soltra Edge,
2017)
b. PIVkey – Two factor authentication - PIVKey enables you to securely
store your digital certificates and associated cryptographic keys. Digital
Certificates support PKI applications like logon to Windows, Signing,
Encryption as well as remote logon using VPN, RDP or HTTPS. (PIVkey,
2017)
c. Training – Cyber awareness for employees – Implement a Cyber
Awareness curriculum that focuses on preventing spear phishing. This
training should be instructor led and employee’s comprehension should be
measurable.
d. Training - System Administration (SYSADMIN) for IT professionals –
While employees are normally positioned to be the first line of defense in a
cyber-attack; our IT professionals are even more important to an effective
cyber defense. We should invest in professional certifications and
comprehensive training for our IT staff
e. McAfee - Data Loss Prevention Software - McAfee Total Protection for
Data Loss Prevention (DLP) safeguards intellectual property and ensures
compliance by protecting sensitive data wherever it lives—on premises, in
the cloud, or at the endpoints. (McAfee, 2017)

The Cyber Kill Chain

®

Stages of Attack Countermeasures (each of these addresses a link

in The Cyber Kill Chain ®)

Reconnaissance

Weaponization
 Jon Boucher – CSOL 580-01-SU17 (Cyber Intelligence)
Module 7 – Final Report

Delivery

+
Employee Training

Exploitation
+
SYSADMIN Data Loss
Training Prevention
Software

Installation
+

Command and Control

+ +

Actions of Objectives
+ + +

VII. Risk Mitigation Tools and Estimated Costs

Product Gap / Priority Cost of product ROI

 Jon Boucher – CSOL 580-01-SU17 (Cyber Intelligence)
Module 7 – Final Report

Soltra Edge - Tactical $11,000[1] Pending

(NC4 - Technical establishment of a
company) - Operational threat baseline.
- Strategic

PIVKey C910 - Tactical $14.95 per card X 20 Pending

- Technical users establishment of a
- Operational $299.00 threat baseline.
Spear - Operational Assessing options (this Pending
Phishing option could be free) establishment of a
Training threat baseline.
SYSADMIN - Technical Assessing options (this Pending
Training - Operational option could be free) establishment of a
- threat baseline.
McAfee Data - Tactical Assessing options – Pending
Loss Prevention - Technical There are many products, establishment of a
product(s) - Operational some with free threat baseline.
- Strategic trials/demos
[1] Free 90-day trial at www.Soltra.com.

I. Recommendations and Way Forward: Now that we have identified the

landscape, our company’s priorities and obligations and the three threats we now
need to decide a direction to counter these threats. My recommendation is that we
implement the solutions from the table above, indicated in green. The second phase
of risk mitigation (in grey) should be studied more to determine those product’s
suitability.

References:

PIVKey – [Official Website]. Retrieved on 26 Aug 2017 from: https://pivkey.com

MacAfee – [Official Website]. Retrieved on 26 Aug 2017 from:

https://www.mcafee.com/consumer/en-us/store/m0/index.html
Jon Boucher – CSOL 580-01-SU17 (Cyber Intelligence)
Module 7 – Final Report

Alastair Stevenson. (14 May 2015). “APT17 DeputyDog hackers are pushing
Blackcoffee malware using TechNet”. Retrieved on 26 Aug 2017 from:
https://www.v3.co.uk/v3-uk/news/2408533/apt17-deputydog-hackers-are- pushing-
blackcoffee-malware-using-technet

Soltra Edge – [Official Website]. Retrieved on 22 July 2017 from:

http://www.soltra.com/en/?gclid=EAIaIQobChMIh6LnrLuZ1QIVUzqBCh3OlQXbEAMYA
SAAEgLE5fD_BwE

Kaspersky Lab. (03 April 2017). “Chasing Lazarus: A Hunt for the Infamous Hackers to
Prevent Large Bank Robberies”. Retrieved on 17 Aug 2017 from:
https://www.kaspersky.com/about/press-releases/2017_chasing-lazarus-a-hunt-for-the-
infamous-hackers-to-prevent-large-bank-robberies

FireEye – Website (20 Aug 2017) “Advanced Persistent Threat Groups”. Retrieved on
21 Aug 2017 from: https://www.fireeye.com/current-threats/apt-groups.html

Bosworth, Seymour. (2014). Computer Security Handbook (6th ed., Vol. 1). Hoboken,
NJ: Wiley. Chapter 12

Matt Mansfield. (03 JAN 2017) “Cyber Security Statistics – Numbers Small Businesses
Need to Know.” Retrieved on 03 Aug 2017
from:https://smallbiztrends.com/2017/01/cyber-security-statistics-small-business.html

Wikipedia – [Cozy Bear]. Retrieved on 04 August 2017 from:

https://en.wikipedia.org/wiki/Cozy_Bear

Corey Nachreiner (02 JAN 2013). “Your Firm Is Small, But Still An Attractive Target”.
Retrieved on 03 AUG 2017 from: https://readwrite.com/2013/01/02/small-firms-are-
immune-to-advanced-persistent-threats-youre-delusional/