Meet the Threats: Oleg the Organized Criminal
Many organizations rely on personas to better understand their customers. At Cisco, we’ve gone beyond creating customer personas, we’ve also created them for the threat actors to help us build stronger security products. We’ve spent years studying the bad guys to best understand how to combat them. In this series of blog posts, I will outline our threat actor personas, including what motivates them, their attack vectors, and how to defend against them.
So far in this series, I have introduced you to Iggy the Insider Threat and Anna the APT. In this installment, I am going to discuss Oleg the Organized Criminal, who uses cybercrime to benefit financially, and how to combat him.
Introducing Oleg the Organized Criminal
Location: Eastern Europe, Asia
“Your identity and personal information is my currency. The tools of my trade are rarely detected, broad in attack methodologies, and delivered to you by an army of automated bots that I control.
Motivations and Goals
I am purely motivated by financial gain. I steal, buy, or trade credit card numbers and other personally identifiable information (PII) that I can use myself or sell within my own private networks or on the dark web to turn a profit. I operate botnets, which I use to send large quantity of spam emails or conduct distributed denial-of-service (DDoS) attacks for a profit.
My game is one of numbers. To maximize profits, I need to target broad ranges of the populace to obtain PII on as many people as possible, send as much spam as possible, or compromise as many devices as possible. When the numbers big enough, all of these activities can net me a large profit. I often use botnets to stage large-scale automated attacks such as spam or phishing to spread my malware.
Sometimes I exfiltrate data, and other times I use ransomware to hold data hostage, hoping the victim will pay me for it. I frequently target large organizations that store large amounts of PII, such as banks, retailers, healthcare providers, and credit card processors. A single intrusion can yield thousands or millions of records.
Oleg will often use malware to infect his target networks. This malware may do multiple things such as:
- Exfiltrate data
- Encrypt and ransom data
- Direct spam email
- Participate in DDoS attacks
- Build out a botnet that can later be rented out
The method for distributing this malware usually targets a broad number of people. Spam and phishing emails are commonly used to trick employees into giving away their credentials or infecting the enterprise network. Sometimes, Oleg may take a more targeted approach and spear-phish executives or administrators that have broad access privileges.
Oleg may also use database entry points such as SQL injection attacks to compromise customer database servers.
Once Oleg is in the victim’s network, he will probably stay for a long period of time, continuously infecting new devices and grabbing new PII where he can. Too often, companies only find out about such a breach when their data has been spotted out in the wild.
How to Combat Oleg
There are numerous measures organizations can take to attempt to prevent, mitigate, and respond to attacks by organized cybercriminals. Web application firewalls are necessary to prevent servers from SQL injection attacks and other similar tactics. Using anti-virus and anti-malware, and enforcing its use, can also help prevent malware infections.
Since PII is often the goal of the cybercriminal, organizations need to focus on ensuring their most sensitive data is protected. Where possible, air-gapping systems containing sensitive data – in other words, physically isolating it from other, less secure systems – can prevent attackers from accessing them. Network monitoring can help ensure air-gapped systems remain separated as intended.
Sensitive data should also be encrypted, both in transit and at rest. Data loss prevention (DLP) at rest and in motion solutions can help ensure the PII is protected.
Regular security audits on code used in company services, products, and operations can help identify potential vulnerabilities before attackers can exploit them. Likewise, regular penetration testing can help keep the network hardened and resistant to attacks.
Lastly, detecting data exfiltration, botnet and command-and-control activity, and long-term attacks can help identify and mitigate ongoing attacks.
There are a variety of activities that Stealthwatch can detect that may signify an attack by organized cybercriminals. Since these attacks often come from abroad, it is useful to identify traffic between the network and hosts in suspect foreign countries. For example, if your organization does no business in Eastern Europe and you see a significant amount of traffic going there, then it could be a sign of an attack.
Secondly, identifying potential data exfiltration and command-and-control or botnet activity is extremely useful. These activities are present in most organized cybercriminal attacks, and they may alert you quickly enough to mitigate further exfiltration, or prevent it entirely. Don’t forget to keep an eye on specialized networked devices such as printers or manufacturing and healthcare machines as these are often overlooked and may be vulnerable.
Unusual flows such as a long slow flow could also be an indicator of an attack. Mapping these flows to host groups or a set of hosts might show a pattern or unveil groups of infected zombie hosts.
To learn about our fourth and final persona – Heather the Hacktivist, who uses cyber-attacks to further her political causes – click here.