SESSION ID: CCT-W10 Escalating Middle Eastern … ID: #RSAC Dr. Christopher Ahlberg Escalating...
Transcript of SESSION ID: CCT-W10 Escalating Middle Eastern … ID: #RSAC Dr. Christopher Ahlberg Escalating...
![Page 1: SESSION ID: CCT-W10 Escalating Middle Eastern … ID: #RSAC Dr. Christopher Ahlberg Escalating Middle Eastern Cyber Tension: An Open Source (OSINT) Analysis CCT-W10 CEO/Co-founder](https://reader034.fdocuments.us/reader034/viewer/2022051800/5aca79af7f8b9a40728e3faa/html5/thumbnails/1.jpg)
SESSION ID:
#RSAC
Dr. Christopher Ahlberg
Escalating Middle Eastern Cyber Tension: An Open Source (OSINT) Analysis
CCT-W10
CEO/Co-founderRecorded Future
@cahlberg | [email protected] | www.recordedfuture.com
![Page 2: SESSION ID: CCT-W10 Escalating Middle Eastern … ID: #RSAC Dr. Christopher Ahlberg Escalating Middle Eastern Cyber Tension: An Open Source (OSINT) Analysis CCT-W10 CEO/Co-founder](https://reader034.fdocuments.us/reader034/viewer/2022051800/5aca79af7f8b9a40728e3faa/html5/thumbnails/2.jpg)
#RSAC
2
![Page 3: SESSION ID: CCT-W10 Escalating Middle Eastern … ID: #RSAC Dr. Christopher Ahlberg Escalating Middle Eastern Cyber Tension: An Open Source (OSINT) Analysis CCT-W10 CEO/Co-founder](https://reader034.fdocuments.us/reader034/viewer/2022051800/5aca79af7f8b9a40728e3faa/html5/thumbnails/3.jpg)
#RSAC
![Page 4: SESSION ID: CCT-W10 Escalating Middle Eastern … ID: #RSAC Dr. Christopher Ahlberg Escalating Middle Eastern Cyber Tension: An Open Source (OSINT) Analysis CCT-W10 CEO/Co-founder](https://reader034.fdocuments.us/reader034/viewer/2022051800/5aca79af7f8b9a40728e3faa/html5/thumbnails/4.jpg)
#RSAC
Al Qassam Cyber Fighters (QCF)
4
July 2, 20121. ‘Innocence of Muslims’ published on YouTube
September 11, 20122. Reactions starts and spreads quickly
September 18, 20123. Al-Qassam Cyber Fighters starts Operation Ababil
![Page 5: SESSION ID: CCT-W10 Escalating Middle Eastern … ID: #RSAC Dr. Christopher Ahlberg Escalating Middle Eastern Cyber Tension: An Open Source (OSINT) Analysis CCT-W10 CEO/Co-founder](https://reader034.fdocuments.us/reader034/viewer/2022051800/5aca79af7f8b9a40728e3faa/html5/thumbnails/5.jpg)
#RSAC
Political Rhetoric Versus Cyber Attacks
5
Blue (vertical) lines are attacks by SEA
Black line is Barack Obama on Syria
Interview on the “Today Show.”
Speech at the Holocaust Memorial Museum.
Speech to Veterans of
Foreign Wars. Interview on“60 Minutes.”
Seeks approval for military
intervention.
Political focus driving attacks?Attacks following media focus?Attacks causing media focus?Raising the bar on targets over time?
![Page 6: SESSION ID: CCT-W10 Escalating Middle Eastern … ID: #RSAC Dr. Christopher Ahlberg Escalating Middle Eastern Cyber Tension: An Open Source (OSINT) Analysis CCT-W10 CEO/Co-founder](https://reader034.fdocuments.us/reader034/viewer/2022051800/5aca79af7f8b9a40728e3faa/html5/thumbnails/6.jpg)
#RSAC
Behavior is Hard to Fake
6
![Page 7: SESSION ID: CCT-W10 Escalating Middle Eastern … ID: #RSAC Dr. Christopher Ahlberg Escalating Middle Eastern Cyber Tension: An Open Source (OSINT) Analysis CCT-W10 CEO/Co-founder](https://reader034.fdocuments.us/reader034/viewer/2022051800/5aca79af7f8b9a40728e3faa/html5/thumbnails/7.jpg)
#RSAC
Targeting May Differ
7
![Page 8: SESSION ID: CCT-W10 Escalating Middle Eastern … ID: #RSAC Dr. Christopher Ahlberg Escalating Middle Eastern Cyber Tension: An Open Source (OSINT) Analysis CCT-W10 CEO/Co-founder](https://reader034.fdocuments.us/reader034/viewer/2022051800/5aca79af7f8b9a40728e3faa/html5/thumbnails/8.jpg)
#RSAC
But Difficult to Escape from Time
8
![Page 9: SESSION ID: CCT-W10 Escalating Middle Eastern … ID: #RSAC Dr. Christopher Ahlberg Escalating Middle Eastern Cyber Tension: An Open Source (OSINT) Analysis CCT-W10 CEO/Co-founder](https://reader034.fdocuments.us/reader034/viewer/2022051800/5aca79af7f8b9a40728e3faa/html5/thumbnails/9.jpg)
#RSAC
9
![Page 10: SESSION ID: CCT-W10 Escalating Middle Eastern … ID: #RSAC Dr. Christopher Ahlberg Escalating Middle Eastern Cyber Tension: An Open Source (OSINT) Analysis CCT-W10 CEO/Co-founder](https://reader034.fdocuments.us/reader034/viewer/2022051800/5aca79af7f8b9a40728e3faa/html5/thumbnails/10.jpg)
#RSAC
10
![Page 11: SESSION ID: CCT-W10 Escalating Middle Eastern … ID: #RSAC Dr. Christopher Ahlberg Escalating Middle Eastern Cyber Tension: An Open Source (OSINT) Analysis CCT-W10 CEO/Co-founder](https://reader034.fdocuments.us/reader034/viewer/2022051800/5aca79af7f8b9a40728e3faa/html5/thumbnails/11.jpg)
#RSAC
11
![Page 12: SESSION ID: CCT-W10 Escalating Middle Eastern … ID: #RSAC Dr. Christopher Ahlberg Escalating Middle Eastern Cyber Tension: An Open Source (OSINT) Analysis CCT-W10 CEO/Co-founder](https://reader034.fdocuments.us/reader034/viewer/2022051800/5aca79af7f8b9a40728e3faa/html5/thumbnails/12.jpg)
#RSAC
?
![Page 13: SESSION ID: CCT-W10 Escalating Middle Eastern … ID: #RSAC Dr. Christopher Ahlberg Escalating Middle Eastern Cyber Tension: An Open Source (OSINT) Analysis CCT-W10 CEO/Co-founder](https://reader034.fdocuments.us/reader034/viewer/2022051800/5aca79af7f8b9a40728e3faa/html5/thumbnails/13.jpg)
#RSAC
![Page 14: SESSION ID: CCT-W10 Escalating Middle Eastern … ID: #RSAC Dr. Christopher Ahlberg Escalating Middle Eastern Cyber Tension: An Open Source (OSINT) Analysis CCT-W10 CEO/Co-founder](https://reader034.fdocuments.us/reader034/viewer/2022051800/5aca79af7f8b9a40728e3faa/html5/thumbnails/14.jpg)
#RSAC
14
![Page 15: SESSION ID: CCT-W10 Escalating Middle Eastern … ID: #RSAC Dr. Christopher Ahlberg Escalating Middle Eastern Cyber Tension: An Open Source (OSINT) Analysis CCT-W10 CEO/Co-founder](https://reader034.fdocuments.us/reader034/viewer/2022051800/5aca79af7f8b9a40728e3faa/html5/thumbnails/15.jpg)
#RSAC
15
![Page 16: SESSION ID: CCT-W10 Escalating Middle Eastern … ID: #RSAC Dr. Christopher Ahlberg Escalating Middle Eastern Cyber Tension: An Open Source (OSINT) Analysis CCT-W10 CEO/Co-founder](https://reader034.fdocuments.us/reader034/viewer/2022051800/5aca79af7f8b9a40728e3faa/html5/thumbnails/16.jpg)
#RSAC
16
![Page 17: SESSION ID: CCT-W10 Escalating Middle Eastern … ID: #RSAC Dr. Christopher Ahlberg Escalating Middle Eastern Cyber Tension: An Open Source (OSINT) Analysis CCT-W10 CEO/Co-founder](https://reader034.fdocuments.us/reader034/viewer/2022051800/5aca79af7f8b9a40728e3faa/html5/thumbnails/17.jpg)
#RSAC
17
![Page 18: SESSION ID: CCT-W10 Escalating Middle Eastern … ID: #RSAC Dr. Christopher Ahlberg Escalating Middle Eastern Cyber Tension: An Open Source (OSINT) Analysis CCT-W10 CEO/Co-founder](https://reader034.fdocuments.us/reader034/viewer/2022051800/5aca79af7f8b9a40728e3faa/html5/thumbnails/18.jpg)
#RSAC
18
Cutting Sword of Justice
Yemeni cyber capability?QuickLeak.irNo social media profileFars News
![Page 19: SESSION ID: CCT-W10 Escalating Middle Eastern … ID: #RSAC Dr. Christopher Ahlberg Escalating Middle Eastern Cyber Tension: An Open Source (OSINT) Analysis CCT-W10 CEO/Co-founder](https://reader034.fdocuments.us/reader034/viewer/2022051800/5aca79af7f8b9a40728e3faa/html5/thumbnails/19.jpg)
#RSAC
19
Parastoo
Cutting Sword of Justice
![Page 20: SESSION ID: CCT-W10 Escalating Middle Eastern … ID: #RSAC Dr. Christopher Ahlberg Escalating Middle Eastern Cyber Tension: An Open Source (OSINT) Analysis CCT-W10 CEO/Co-founder](https://reader034.fdocuments.us/reader034/viewer/2022051800/5aca79af7f8b9a40728e3faa/html5/thumbnails/20.jpg)
#RSAC
Lessons for the Defender
Track geopolitical backdrop
Know your threat
Adjust defenses to actors
Identify technical capabilities and indicators for actors
Track and monitor actor behavior, key sources, and events driving them
20
![Page 21: SESSION ID: CCT-W10 Escalating Middle Eastern … ID: #RSAC Dr. Christopher Ahlberg Escalating Middle Eastern Cyber Tension: An Open Source (OSINT) Analysis CCT-W10 CEO/Co-founder](https://reader034.fdocuments.us/reader034/viewer/2022051800/5aca79af7f8b9a40728e3faa/html5/thumbnails/21.jpg)
#RSAC
Defenders Matrix
21
QassamCyber Fighters
Iranian Cyber Army
Parastoo Cutting Sword of Justice
Yemen Cyber Army
CyberCaliphate
SyrianElectronic Army
Targeting US+UK Banks Domestic Iran,China, Azerbaijan, VOA Farsi
IAEA, US gov, Saudi, Israel
Saudi Saudi Government US DoDUS MediaRandom websites
Western Media Companies
Media outlet hilf‐ol‐fozoul.blogspot.com
Cryptome Fars News AgencyWikileaks
Social media outlet
None None None None None Twitter TwitterFacebook
TTPs DDoS / Brobot Web defacing Web defacing Destructivemalware / Shamoon
Defacing
Document exfiltration
Twitter defacing/messagepublication
Phishing platform + defacing
RATs
Pre‐announcedattacks
Yes No Yes No No No No
Dropbox Pastebin Quickleaks Pastebin QuickeaksPastebin
JustPaste.it sea.syarchive.is
![Page 22: SESSION ID: CCT-W10 Escalating Middle Eastern … ID: #RSAC Dr. Christopher Ahlberg Escalating Middle Eastern Cyber Tension: An Open Source (OSINT) Analysis CCT-W10 CEO/Co-founder](https://reader034.fdocuments.us/reader034/viewer/2022051800/5aca79af7f8b9a40728e3faa/html5/thumbnails/22.jpg)
#RSAC
Operationalizing Intelligence
22
![Page 23: SESSION ID: CCT-W10 Escalating Middle Eastern … ID: #RSAC Dr. Christopher Ahlberg Escalating Middle Eastern Cyber Tension: An Open Source (OSINT) Analysis CCT-W10 CEO/Co-founder](https://reader034.fdocuments.us/reader034/viewer/2022051800/5aca79af7f8b9a40728e3faa/html5/thumbnails/23.jpg)
#RSAC
23
Parastoo
![Page 24: SESSION ID: CCT-W10 Escalating Middle Eastern … ID: #RSAC Dr. Christopher Ahlberg Escalating Middle Eastern Cyber Tension: An Open Source (OSINT) Analysis CCT-W10 CEO/Co-founder](https://reader034.fdocuments.us/reader034/viewer/2022051800/5aca79af7f8b9a40728e3faa/html5/thumbnails/24.jpg)
#RSAC
Conclusions
Middle East Actors have distinct behavior Geopolitics sets the agenda Chasing shadows War by proxy Actors have defined targeting, infrastructure, behavior, etc.
Defender recommendations OSINT can be used to monitor and stay ahead Carefully map actor threat profile to operational stance Be on your toes!
24