Online illicit communities are not only a place where cyber attacks are planned and the tools to commit them are traded, it’s also home to emerging threats to an enterprise's physical assets, including its employees, facilities, and data. The physical element of information security often takes a backseat to the technology protecting the information. Theft, vandalism, or alteration of hardware can be equally as destructive and costly as a malware infection, and possibly even easier and more productive than a digital attack.
Flashpoint broadens the scope of cyber intelligence beyond threat detection to areas like physical security, providing the relevant context to business units not traditionally afforded the benefits of intelligence derived from illicit communities. By collecting and analyzing data from these communities and various surface web sources, Flashpoint provides customers with the trusted intelligence they need to facilitate risk assessments, the development and implementation of mitigation measures, and the ability to assess the effectiveness of those measures.
Below are examples of the types of challenges Flashpoint helps companies address:
Over the past several years, various groups initiated campaigns against the aviation industry that ranged from anti-pollution and runway expansion protests to demonstrations against deportations. Demonstration tactics included the blocking of runways, demonstrators chaining themselves to aircraft, concourse "die ins" in which protesters lie on the ﬂoor as though deceased, and general gatherings to disrupt business operations. In the past, these demonstrations in which participants impeded ﬂight operations, by causing runway or terminal shutdowns, resulted in global ﬂight delays and ultimately a ﬁnancial impact to individual airline carriers.
By monitoring the situation and assessing tactics, techniques, and procedures (TTP’s), Flashpoint was able to assess the impact of upcoming protests, and determine that these groups would likely continue to protest and attempt to impede airport construction and expansion projects through direct action. Other assessments included which protests were likely to include vandalism, economic impacts like disruption of business, and if their campaigns were gaining or losing momentum. Based on this information, Flashpoint customers were able to take actions to help control the impact to business operations, and to ensure the safety of their employees and facilities as well as the safety of those protesting.
Leading up to the G20 Summit in Hamburg, Germany, which was attended by more than twenty heads of state or government and high level representatives of other organizations, Flashpoint was monitoring multiple groups that were preparing direct, violent action against the summit. These groups had called for vandalism from extreme
far-left and anarchist groups and already one protest had led to several police vehicles being burned. Additionally, due to historic cyber campaigns around the G20, Flashpoint had assessed with moderate conﬁdence that some form of nefarious cyber activity was likely to be observed.
Flashpoint monitored the timelines of these groups, identifying the peak dates where demonstrations would likely take place and which of those dates were most likely to involve vandalism and violence towards police by extremist groups. Customers were also provided proﬁles of the groups involved with an eye towards whether these groups were typically violent. Our analysts offered customers strategic advice in the instance of a violent protest, including how to set up emergency notiﬁcation systems and physical evacuation plans. They also evaluated physical threats that would lead to cyber compromise, such as malware deployed through ﬂash drives, and offered strategic advice on how to protect laptops and other mobile devices.
In April 2017, a threat actor published a post titled “Diaries of a Fraudster,” detailing various fraud techniques. According to the actor, he and a team of others would purchase credit reports and then purchase matching scanned driver's licenses and Social Security Numbers. After the purchases, he claimed that: “[the] rest was simple, just memorize the information on the [credit] Report and DOB, Address etc. Then we went to [a retail store] or any stores that let you buy merchandise as a loan. “ He also claimed that their team would place small microphones in: “big construction stores . . . that any entrepreneur could go simply by telling the cashier his name and account number. “ After stealing the information, he and his team would "dress in construction clothes, make fake [IDs]," and buy less than $5,000 CAD worth of items at a time.“
Flashpoint alerted customers to these new techniques, as the advice and experience offered by actors such as this one are of immense value to other cybercriminals-–both novice and experienced-–who are seeking to enhance their operational tradecraft. This helped customers to make strategic decisions about their operational security procedures. A proﬁle was also created on this actor to monitor his other activities on illicit communities so if he continues his diary series, Flashpoint can keep customers abreast of new TTPs as soon as other threat actors learn them.
PHYSICAL THEFT & LOSS
In June 2017, a company was ﬁned more than £100,000 following the theft of a hard drive containing the banking details of almost 60,000 customers. The device also held limited credit card details of 20,000 customers, although CVC numbers and expiration dates are not affected. The Information Commissioner’s Office (IOC) said the device was stolen either by a member of staff of a contractor, adding that the information on it was not encrypted and the device has never been recovered.
Theft of hardware, such as company-issued laptops, cellular devices, and removable media, poses a potentially high-impact ﬁnancial threat to the ﬁnancial sector. The loss of employee or customer data, if decrypted or readable, will likely lead to large-scale fraud and the possibility of lawsuits and/or ﬁnes by government regulators. With Flashpoint’s help, the company could have strategically planned to protect their sensitive hardware both on a physical security level and recommendations on protecting the data on that hardware. Following a breach like this, if the company’s information were to appear on illicit communities, Flashpoint could also alert them and provide context which could assist in discovering the threat actors involved.