SESSION ID:
#RSAC
Dr. Christopher Ahlberg
Escalating Middle Eastern Cyber Tension: An Open Source (OSINT) Analysis
CCT-W10
CEO/Co-founderRecorded Future
@cahlberg | [email protected] | www.recordedfuture.com
#RSAC
2
#RSAC
#RSAC
Al Qassam Cyber Fighters (QCF)
4
July 2, 20121. ‘Innocence of Muslims’ published on YouTube
September 11, 20122. Reactions starts and spreads quickly
September 18, 20123. Al-Qassam Cyber Fighters starts Operation Ababil
#RSAC
Political Rhetoric Versus Cyber Attacks
5
Blue (vertical) lines are attacks by SEA
Black line is Barack Obama on Syria
Interview on the “Today Show.”
Speech at the Holocaust Memorial Museum.
Speech to Veterans of
Foreign Wars. Interview on“60 Minutes.”
Seeks approval for military
intervention.
Political focus driving attacks?Attacks following media focus?Attacks causing media focus?Raising the bar on targets over time?
#RSAC
Behavior is Hard to Fake
6
#RSAC
Targeting May Differ
7
#RSAC
But Difficult to Escape from Time
8
#RSAC
9
#RSAC
10
#RSAC
11
#RSAC
?
#RSAC
#RSAC
14
#RSAC
15
#RSAC
16
#RSAC
17
#RSAC
18
Cutting Sword of Justice
Yemeni cyber capability?QuickLeak.irNo social media profileFars News
#RSAC
19
Parastoo
Cutting Sword of Justice
#RSAC
Lessons for the Defender
Track geopolitical backdrop
Know your threat
Adjust defenses to actors
Identify technical capabilities and indicators for actors
Track and monitor actor behavior, key sources, and events driving them
20
#RSAC
Defenders Matrix
21
QassamCyber Fighters
Iranian Cyber Army
Parastoo Cutting Sword of Justice
Yemen Cyber Army
CyberCaliphate
SyrianElectronic Army
Targeting US+UK Banks Domestic Iran,China, Azerbaijan, VOA Farsi
IAEA, US gov, Saudi, Israel
Saudi Saudi Government US DoDUS MediaRandom websites
Western Media Companies
Media outlet hilf‐ol‐fozoul.blogspot.com
Cryptome Fars News AgencyWikileaks
Social media outlet
None None None None None Twitter TwitterFacebook
TTPs DDoS / Brobot Web defacing Web defacing Destructivemalware / Shamoon
Defacing
Document exfiltration
Twitter defacing/messagepublication
Phishing platform + defacing
RATs
Pre‐announcedattacks
Yes No Yes No No No No
Dropbox Pastebin Quickleaks Pastebin QuickeaksPastebin
JustPaste.it sea.syarchive.is
#RSAC
Operationalizing Intelligence
22
#RSAC
23
Parastoo
#RSAC
Conclusions
Middle East Actors have distinct behavior Geopolitics sets the agenda Chasing shadows War by proxy Actors have defined targeting, infrastructure, behavior, etc.
Defender recommendations OSINT can be used to monitor and stay ahead Carefully map actor threat profile to operational stance Be on your toes!
24