Threat Scenarios for Shadowmiles Limited - Case Study Example

(Faculty)

Threat profile for Shadowmiles Limited

In the recent years, organizations ranging from large to medium sized have continuously embraced new and advanced technologies. This has not only promised them more profit but has made them become competitive in the marketplace. Today, almost all departments are connected notwithstanding their geographical positions (Visintine, 2003). Through this, organizations have become efficient in their operations as well as resulting in an increased production amongst employees. However, new and advanced technologies have introduced risk and threats that have made top executives and managers wish to retire to their old traditional methods of operations. Hackers and malicious individuals seem to be ahead of defense every other time (Tittel, 2017). As such, in order to continue operating with the current technologies and maintain security, organizations need to heighten their defense approaches. One way to achieve this is to create a threat profile that can be adopted after or before an attacker lunches their endeavors. This paper therefore, aims at creating threat scenarios for Shadowmiles Limited.

About Shadowmiles Limited

Shadowmiles Limited is a world leader in the provisioning of digital identity and security technologies. Its ambition is to empower consumers and customers alike to connect, interact, communicate and even vote in today's connected world. Particularly, Shadowmiles stand at the crossroad to leverage the best in identification and security technologies to offer customized solutions to a range of clients from key industries such as the Internet of thing, identity, Telecom, and financial services. Currently, the company has employed over 8000 employees in over 50 countries and generating revenue of about $2.4 billion.

The company offers its solutions in four categories. The first category is biometrics. The company through its very capable researchers and developers has developed technologies based on facial and iris recognition, fingerprint, and vein. One of these technologies is known as automated biometric identification system which can scan and identify someone's finger on the fly as well as fast DNA matching. Most of these technologies are deployed in domains such as criminal investigation and public security. The second category is detection systems. Shadowmiles Limited has produced tomographic detection systems that can assist in detecting illegal and dangerous substances such as explosives. These systems are very helpful in place such as the airport. The third category is business solutions. The company has specialized in the development of smart card used in banks and telecoms. Particularly, the shadowmiles company has recently expanded to the development and provisioning of online identity management system and production of identity documents such as driving license and visas. Lastly, the company offers cloud services to its customers.

Possible Target Assets

There are various possible targets that a treat actor can penetrate to gain administrative privileges. One of the targets is VPN configurations. A virtual private network is a network that securely connects to local area network which is located in different geographical positions. A VPN must be configured and integrated into both networks in for communications to work successfully. When a malicious individual is able to obtain VPN configurations, he/she will be able to get into the network and still important and confidential information pertaining a given individual or organization. The second possible target is servers. Shadowmiles Limited is hosting services of many organizations ranging from financial institutions to governmental organizations. When a treat actor gets into the servers, he or she will be able to do almost everything including deleting every information residing on those servers. Additionally, the company has its own servers executing different functions. If a hacker gets into those servers, he or she will be able to steal and temper with any possible information that comes on their way. The third possible target is information residing on the cloud storage space. Many enterprises backup their vital information in some of this cloud storage. Some of this information is dependent on the operations of some businesses. As such when a malicious individual manages its way into some of these storage media and makes any changes, then those organizations will have difficulty in executing some of their operations.

Threat Scenarios

In the realm of cyber security scenario planning are an imperative tool used to mitigate future threats. Scenarios planning assist in predicting repercussions and quantifying risks as well as investing in technologies that will help reduce the impact of such attacks. The scenarios hereunder depict some of the threats that Shadowmiles Limited may face in future.

Threat Scenario Campaign-Ransomware

Typically, Ransomware is a type of Malware that focuses on limiting user access to certain information or systems unless a ransom is paid (Karaffa, 2017). This malware usually encrypts information and for it to be decrypted, users or organization have to pay a certain amount of money through online payment systems (Muckin & Fitch, 2014). Sometimes, organizations may pay this money and fail to get back their data. As such organizations may lose both their vital information as well as their money.

This threat campaign mainly focuses on an external threat actor who is fully funded to demand block certain services from being accessed unless certain ransom is paid. This threat scenario is comprised of two critical assets, one threat actor and five threat scenarios. Each scenario will be explained in detail hereunder.

Asset Categorization

Corporate servers

Asset ID

CA. SS.01 Corporate servers and servers

Attribute

Description

Description

Servers running Windows server 2008

Ownership

Shadowmiles Limited

Location

Basement of head office

Security Categorization

C

Confidentiality

Confidentiality impact assessment-high

A

Availability

Availability impact assessment-high

Asset ID

CA. SS.02. Corporate workstation

Attribute

Description

Description

Computers running windows 8.1 and MS office 2007

Ownership

Shadowmiles Limited

Location

Finance section

Security Categorization

C

Confidentiality

Confidentiality impact assessment-high

A

Availability

Availability impact assessment-high

Threat Actor

Threat Actor ID:

TA.E. 02: state sponsored TA.

Description: An individual working on its own to penetrate to organization’s system to compromise data

Relationship: External

Region of operation: China

Motive: infiltration

Intent: deliberate

Capability: well-funded, highly capable technically, high intensity

Objective: financial gain, credentials

Threat Scenario #1. Establish Foothold on the network

Mostly, threat actors normally establish their foothold by first performing reconnaissance to obtain vulnerable surface within the systems. Particularly, they leverage social engineering tools to get succinct information regarding their target populations. Since their target is corporate servers, they will scan through ports to find open ones. They will also leverage such open ports to launch their unsuspecting attacks.

Threat Campaign

TC. Ransom ware (block access of data for ransom )

Threat scenario

TS. 01- establish foothold on the network

Asset ID

CA. SS.02.

Threat actor ID

TA.E. 02

Phase

Description

Reconnaissance

The threat actor performs reconnaissance to obtain specific information pertaining the servers and the devices within the network. Threat actor may also attempt to get information regarding network posture of the organizations. The main objective is to obtain “foothold” information’s from the network and servers. Action.vulnerable.networks.systems

Weaponization

The threats actor creates word documents script, mainly a Malware to that can be used as a backdoor to the vital organization repositories. Action.word.document. Malware

Delivery

Threat actor uses compromised sites and emails to deliver the compromised world documents file to the target users. Action.phishing

Exploitation

Target users open the corrupted file on the machine to be used as backdoor.

Installation

Target users execute open to execute the compromised word document. When the user opens the world file, the Malware will install itself on their workstation.

Command and control

Not applicable

Action and objective

Threat actor has established foothold and has compromised CA. SS.02.

Covering tracks

Not applicable

#2. Penetrate servers

One way to get into someone server is by scanning for open ports. Open ports are a port that can be leveraged to access servers, workstation, and network systems. There are many port scanners available for free. For example, threat actor many use social engineering tools to scan the entire organization's network architecture to find any open ports. If one is found, threat actor will have found an attack surface to execute their missions.

Threat Campaign

TC. Ransom ware (block access of data for ransom )

Threat scenario

TS. 02- penetrate servers

Asset ID

CA. SS.02.

Threat actor ID

TA.E. 02

Phase

Description

Reconnaissance

The threat actor scans the network and servers to establish open ports. These open ports will then be used to install backdoor software’s used to take control of the entire system. Action.vulnerable.ports

Weaponization

The threats actor creates script, mainly Trojan to that will silently install it when user clicks it. Action. Malware. Trojan

Delivery

The server will send some request about software update which the malware has exploited.

Exploitation

Threat actor leverages the malware in the previously compromised world document to access servers.

Installation

Threat actor installs the Malware and the Trojan on the server. This Malware is known a Ransom ware.

Command and control

The Malware and the Trojan on the compromised servers send encrypted communication to the command and control server of the threat actor.

Action and objective

The threat actor has successfully gain administrative privileges of the server. He/she can do any action at this point. The ransomware will begin to execute the main mission.

Covering tracks

Not applicable

#3. Encrypt data and block access to the System

When the threat actor has gained full access to the servers, he/she will begin to execute its main objectives. The first objective is to encrypt the information in the servers and generate keys to the command and control servers. This information might be the vital information needed for daily activities of the organization. The second step is to deny service through denial of service attack. In order to unlock such services, the organization must pay ransom equal to what would be blinking on their screen.

Threat Campaign

TC. Ransom ware (block access of data for ransom )

Threat scenario

TS. 03- Encrypt data and block access to the System

Asset ID

CA. SS.01.

Threat actor ID

TA.E. 02

Phase

Description

Reconnaissance

Not applicable

Weaponization

Not applicable

Delivery

Not applicable

Exploitation

Not applicable

Installation

Ransomware Malware will be executed to begin files encryption. Also denial of service attack will be launched to limit user access to the services within the servers.

Command and control

Threat actor will generate decryption keys to their command and control servers.

Action and objective

The object of the threat actor is to ensure that all vital information is compromised and cannot be accessed until certain amount is paid as ransom

Covering tracks

Not applicable

#4. Demand ransom and cover tracks

Once file encryption has been done successfully, the malware will use the server to alert the user on the infiltration and certain directions for payment. These directions may also include other ways of downloading additional malware to their machines which will enable the attacker to steal other credential information. Occasionally, threat actor usually includes countdown clock with a deadline to amplify victim distress. The countdown would determine the amount of time remaining for the decrypt key to be destroyed thus eliminating any chance of recovery.

Threat Campaign

TC. Ransom ware (block access of data for ransom )

Threat scenario

TS. 04- Demand ransom and cover tracks

Asset ID

CA. SS.01.

Threat actor ID

TA.E. 02

Phase

Description

Reconnaissance

Not applicable

Weaponization

Not applicable

Delivery

Not applicable

Exploitation

Not applicable

Installation

Not applicable

Command and control

Generate alerts notifications from the command and control server with countdown clocks and payment directions

Action and objective

Demand for given ransom to release decrypt key. Delete or expose vital information if ransom is not paid. Install other malwares on the target machine

Covering tracks

Delete their backdoors and cloud based staging server.

Lessons Learned

Threat scenario planning is a significant approach for today's digital world. Organizations operating in an evolving environment need to pay attention to the many surfaces of attacks being created each day. Potently, the volumes and the characteristics of today's security threats are rapidly changing. Specifically, scriptwriters seem to be ahead of defense team thus launching attacks not covered in the security policy of the organizations.

The most common types of threats are botnets, Malware (viruses, worms, rootkits, Trojan horse) and zero-day vulnerabilities (Abomhara, 2015). These threats can be administered to the corporate systems through many ways. One way is to trick users through phishing tailored attacks to trick them to click certain links or downloads emails appearing to be from their bosses, or even redirecting them to unsuspecting compromised sites where the Malware will silently install itself without the consent of the user (Irwin, 2014). The other way is to launch denial of service attacks that will deny users ability to execute certain vital operations. These attacks vectors keep transitioning into other forms unknown to the security teams within the organization.

As mentioned earlier, there are two main concerns that need to be considered when creating organizational threat profile. The first is asset characteristics. Asset characteristics mainly encompass all the vital assets of the organization. These include servers, workstations, local area network, virtual private network configurations, information as well as people. The chances of attack, as well as the impact of such attack to those assets, need to be determined in order to measure the significance of such impact on the operation of the organizations. The measure should be determined as high, medium or low.

The second concern is threat gathering. Threat information plays a vital role when planning for organization threat profile. The source of this information can either be from within the organization or an external partisan. Internal threat information may include system logs from firewalls, intrusion detection and prevention systems and data loss prevention systems. Other elements to be viewed include computer incident forensics, threat and risk assessment report and physical security. External threat information may be obtained from international governmental intelligence sources, threat reports from paid or free third parties or shared information at the conference. Example of third parties providing threat information includes ophos’annual Security Threat Report, Microsoft Security Intelligence Report, Symantec’s Internet Security Threat Report and Mandiant’s annual M Trends Threat Report.

Conclusion

The above study clearly illustrates how important a threat profile is to a given enterprise. Through threat profiles and threat scenarios, risks and incident management team have a better way to respond to any trends of attack emerging on their networks. Specifically, threat profiles enable incident management team to determine risks that the organization may face as well as suggesting mitigation strategies to curb and to reduce such incidents. Organizations should always develop and implement such security strategies in order to continue operating with the advanced technologies as well as remaining on the competitive edge.